In a previous article, we mentioned how technologies alone are not enough to combat cybersecurity threats and how companies are turning to ethical hackers to solve their security issues.
Such an approach exemplifies the concept of bug bounty, wherein organisations will start a program by giving rewards to hackers that will report any bugs or security issues within their businesses. These “bugs” include many things. It could be a vulnerability on websites, firmware, software, applications and services, to name a few.
At present, there are a growing number of organisations who have their own programs for hackers to find vulnerabilities, including global giants such as Uber, Paypal, Facebook and Apple.
But what do hackers themselves think of such programs?
At HackerOne's recent global Security@ conference, we got the rare chance to “Meet the Hackers”, who shared their experiences and insights regarding bug bounty programs and ethical hacking in general.
Discussing if there is a shift in the attack surface due to businesses accelerating their digital transformation initiatives this year, Shubham Shah (@notnaffy), stated that while there have been a lot of changes, it’s not something out of the ordinary compared to previous years. “It’s really hard to ascertain if this year in particular or the pandemic has a lot of contributions with the new security vulnerabilities”, he added.
For filedescriptor, “It’s hard for me to think about it as well, all the programs I’ve hacked don’t really change. But I think digital transformation has also had an impact, like for example Zoom, as many are using it, the bug bounty programs are improved as there is an increase in information being stored”.
Nathaniel "naffy" Wakelam, concurred with his hacker counterparts, saying that it’s hard to perceive just how much of a change there is because there are always new things happening and things that are actively being developed, built and pushed out. “But I think it makes a logical sense that as organisations move to remote work, there’s going to be new issues that will emerge because obviously people are going be doing things differently”, added Nathaniel.
On whether companies should adopt bug bounty or not, Nathaniel said it is extremely important for companies to have a really deep understanding about all their assets and attack surface – especially with the constant changes they are faced with these days.
“You need to have a good understanding of everything before you start having a bug bounty program. In addition, you need to have automated processes, because the last thing you want to do is start a bug bounty program and pay for bugs that could have been easily picked up by automation or by some tools that can scan that, which needs a better understanding of your assets to start off with”, explained Nathaniel.
During the conference, hackers shared tips and suggestions on how those in the hacking community can improve their hacking powers as well as the different sources where they can get the latest information about vulnerabilities and disclosure reports.
According to Jesse Kinser, the HackerOne platform is a great place to start, as there’s a whole page of recent publicly disclosed reports. The platform also shares guides, case studies, webinars and other valuable information for those who wish to venture further into the bug bounty space. She added that “Twitter is also amazing, just follow a bunch of people in the industry and they would do blog posts and write-ups all the time about the current vulnerabilities they have found”.
Allyson O'Malley advised hacking enthusiasts that studying computer science can be incredibly valuable as it teaches about how the actual computing structure and software really works. However, it doesn’t necessarily have to come from formal education. “I do think having that understanding about how things are built really helps you on the other side when you’re hacking. Have hands-on experience, sign-up on HackerOne or any public programs. You won’t run out of learning pretty much”, she said.
Last but not least, Katie Paxton-Fear commented that developers should get in on the act as well. “I think one of the best ways to engage developers in the bug bounty process is just by getting them hacking. They are experts in what they’re making, so teach them how to hack. Get them hands-on experience, look at the technologies that hackers use and just understand what hacking looks like from the attacker perspective”.
If you missed this year's Security@, fret not. HackerOne has summarised all the highlights of the event in an illustration! Click here to access a full recap in art form.