How HackerOne Positively Influences Zebra’s Software Development Life Cycle
Dr. Jasyn Voshell, Director for Product and Solution Security at Zebra Technologies, is a power user of HackerOne, with a Vulnerability Disclosure Program (VDP), bug bounty program, and his team regularly running pentests with hackers. Zebra builds data capture and automatic identification solutions to provide businesses with operational visibility and product security as a top priority to do business with enterprise-level customers. Last week we sat down with Jasyn during a one-hour webinar to ask him for his advice on best practices for using hacker-powered security to test security across the Software Development Life Cycle (SDLC). Here’s what Jasyn shared with us and a live audience and what the audience shared with us about their security testing challenges.
HackerOne’s Platform Catches Everything
Organizations can ensure that security testing is a continuous process by combining regular pentests with bug bounty and VDPs. Some companies start with one of these types of tests and find that they need more coverage. Jasyn explains how, like many organizations, Zebra started with semi-regular pentests that failed to satisfy.
“Our traditional pentest reports never gave the full story. Hacker-powered pentests give full visibility into findings in real-time, allowing us to pivot to fixing and retesting while the pentest is still running. The end result is that we have more trust in the final report and can plan to direct efforts immediately to any weak spots.”[1]
We asked our audience about their biggest challenges when it comes to traditional penetration testing. Disappointment in the final report came out as the top concern.
Vendor scheduling delays and resource constraints lead to project launch delays | 9% |
Lack of visibility into the testing process and waiting until the final report to get results | 9% |
Not getting the impact and results you’d expect from an engagement | 64% |
Working with outdated tools that make it difficult to send results to the right internal teams | 18% |
Figure 1: Results of a webinar audience poll that asked about their pentesting challenges
Jasyn went on to clarify how hacker-powered pentests are just the start of an effective and transparent security testing strategy:
“Once out of the door, the pentested product becomes part of the bug bounty program so, if any new bugs appear, we can catch them quickly, but we’re not paying for things we already know that surfaced in the pentest, avoiding duplication of efforts. We reduce the risk of missing anything by casting a wide net with the VDP, where anyone can report an issue.”[2]
Security And Development Teams Collaborate To Shift Security Left
Jasyn gave his advice for security teams struggling to get leadership to accept hacker-powered solutions. It’s all about getting security and development teams to work together for better results to demonstrate an organizational commitment to reducing vulnerabilities earlier in the development process.
“There was nervousness within the organization when we first introduced the concept of using hackers to test our systems, but the security team couldn’t keep up with the product development cycle without slowing down production. When hackers started finding critical vulnerabilities that scanners and tools could never have caught, that’s when we saw full buy-in for the programs across the organization. I’d love them to find nothing—and pay nothing! But, mistakes happen, and the bug bounty helps us spot those mistakes.”[3]
Effective Measurement Is Key To Improvement
We polled the audience on what they think is the most important metric to measure and improve security in their organization.
Reducing time to detect and remediate vulnerabilities | 54% |
Reducing tooling and vendor costs | 15% |
Reducing internal security talent costs | 0% |
Reducing time to market new products | 0% |
Reducing the number of high and critical vulnerabilities | 31% |
Figure 2: Results of an audience poll asking how they measured the success of their security programs
The poll majority said reducing the time to detect and remediate, but Jasyn believes this is secondary to reducing the number of high and critical vulnerabilities. A quarter-over-quarter reduction in vulnerabilities demonstrates the partnership effectiveness between security and development teams. Sharing those results builds trust with the board and customers and demonstrates that the security strategy is resilient. Jasyn shared his approach:
“The board needs to know the product risk. Giving visibility into what we’re doing to both the board and customers shows how our developers drive the number of vulnerabilities down. Our priority is to reduce the number of critical/high defects per 100 quarter over quarter, and then we measure time-to-remediate. Our goal is to have zero critical and high vulnerabilities. We work with developers to figure out how we can stop vulnerabilities and rely on the bug bounty program to help identify the root course, such as a vendor or code error.”
Build Customer Trust with Security Transparency
Many customers look to vendors for proof of up-to-date security as part of their agreements. Regular security testing is a way to demonstrate the highest levels of data and network safety and builds trust and loyalty, leading to more referrals and more business. Jasyn told us about building a stronger relationship with a major retail customer through a shared fascination of bug bounty findings:
“As part of our contract, a major German retail customer asks for three pentest reports a year, and they are very tough on us if a critical vulnerability is surfaced. Last year, we explained what we were doing with bug bounty in terms of providing that layer of continuous security. That got them interested and, the next time we met with them, they were less focused on the pentest report and instead wanted to hear about what was found through the bug bounty program that other tools had missed. Being able to talk about these programs transparently helps drive value with customers, who can see how committed we are to protecting their products.”
To hear more from Jasyn about how Zebra has built a security strategy that partners with developers, satisfies the board, and engages customers, watch the full conversation here.
The 8th Annual Hacker-Powered Security Report