By: Rena Chua, Bug Bounty Advisor at HackerOne
Security teams are challenged by the radical shifts in software development, from the fast pace and frequent releases to new languages and modern models. In that whirlwind, CISOs still have to keep both users’ and employees’ data secure without slowing down the process.
This article will cover three ways hacker-powered security helps the CISO become more agile.
#1 - Hacker-Powered Security Scales With Your Business
Hacker-powered security is flexible enough to adapt to any software development model, and even any business models. It’s already in use by thousands of companies from small startups to Fortune 500 mega corporations. And it works just as well for those dealing with regulatory, industry, or other constraints.
As your business grows, hacker-powered security grows with you. For those just starting to build a security apparatus, it’s easy to begin with a vulnerability disclosure policy and a “security@” email address. These programs can be integrated into even small security teams and help introduce hacker-powered security into your current security and development processes.
When you’re ready, you can use hacker-powered security to run short-term bug bounty programs, target specific scopes, or run continuous programs across all of your technology. But you always have the control to scale up or down as your needs change. For example, you can start by opening one application to a private, invitation-only bug bounty program to get more comfortable with the triage of incoming vulnerability reports, communicating with hackers, and resolving issues with your developers. Then you can add more applications, open your program to more hackers, and expand your scope over time.
Eventually, you’ll have the ability to continuously test all of your critical applications with the most diverse and talented group of security researchers on the planet.
#2 - Hacker-Powered Security is Customised to Fit Your Needs
Every business has different requirements. Hacker-powered security is flexible enough to provide effective testing in any industry, for organisations of any size, and for CISOs with unique needs. It’s already being used by organisations as diverse as Starbucks, Lufthansa, Goldman Sachs, Uber, Spotify, General Motors, Zomato, Toyota, LINE, U.S. Department of Defense MINDEF Singapore, GovTech Singapore, and thousands more.
Hacker-powered security can be completely tailored to any organisation’s unique requirements.
A time-bound bug bounty program can be used to accomplish pinpoint security testing objectives using the diverse hacker community in an incentive-driven model. This crowdsourced penetration testing is helpful when you don’t need a full bug bounty program, to meet PCI DSS and SOC2 Type II compliance certifications, and to target a specific scope with only those hackers who have a specific skill-set.
These tests not only help you maintain compliance while increasing security, they can save you money. A recent report by Forrester Consulting suggests that a company switching to hacker-powered security programs for pen-testing stands to save nearly USD 300,000 in net present value over three years.
In addition, you can further customise hacker-powered security with background checks and more to meet the rigorous standards of highly regulated companies. You can choose to only use vetted hackers, with testing conducted through VPNs, and the addition of custom agreements to give you complete control over your program.
#3 - Hacker-Powered Security Can Be Built Into Every Stage of the SDLC
Building security into your software development lifecycle (SLDC) without slowing down development is a challenge, but hacker-powered security can help. Its flexibility makes it compatible with every stage of the SLDC.
When hacker-powered security is applied after code is released, the resulting bug reports can help developers think about security during the development process. That leads to a more security-aware engineering team who can work to close gaps before new code is released. Bug reports can easily be integrated into the tools your developers already use. Apps like Jira, Assembla, Bugzilla, MantisBT, GitLab, and GitHub are common across the SLDC.
Incoming reports from the hacker community can inform developers without any changes to their current workflow. Hacker-powered security can also integrate with Slack and other productivity tools to keep teams collaborating and communicating as they’re working to fix bugs and close security gaps. If you’re looking to reduce risk while keeping up with the speed of your developers and release cycles, then Hacker-powered security fits right in.
A hacker-powered security program can be as big and public or small and private as you need — or anywhere in between. Starting with a vulnerability disclosure program lets you see the value without overwhelming your security or development teams. Moving to a private bug bounty program and using hacker-powered pen tests lets you control the hacker resources until you’re used to the workflow. Then you can take it public when you’re ready to open your scope to truly continuous security coverage.