Authored by: Luke Tucker, Senior Director of the Global Hacker Community at HackerOne
When we think of cybersecurity today, some of the immediate buzzwords that come to mind are automation, machine learning (ML) and technological solutions. Over the years, they have been widely discussed and adopted in the tech and security industry. Many businesses have already included automation into their products and services and are working towards incorporating AI into their products and services. They are evident on our smartphones, social media platforms, smart IoT devices, and even music subscriptions. Companies also introduced automated pipelines and the use of machine learning (ML) in their security software to safeguard their assets.
Looking at how things are moving, these elements are surely here to stay. It helps businesses optimise their processes, automate operations, independently scan and flag potential threats in their security system, therefore saving time, increasing productivity, and reducing costs of hiring. The benefits are plenty, especially so in security where identifying and eliminating cyber threats quickly is critical. However, there are some things that machines and technology cannot replace. That is the intrinsic characteristics of the human mind -- The hacker advantage.
Is AI a Security Panacea?
Cybersecurity educator and hacker, Katie Paxton-Fear (@InsiderPhD) assures “We are seeing a trend towards automation and people building up these automated pipelines, and that might be considered simple AI, but fundamentally, you can never replace that human creativity. You still need a human at the end of the pipeline to decide whether something’s worth investigating or not.”
Human Intelligence vs Artificial Intelligence
Software development lifecycles are increasingly continuous. In today’s fast-paced world, fuelled by digital transformation and the rapid increase in attack surfaces, the amount of information and data to go through for security teams are massive. As companies work overtime to push code, criminals work overtime to find ways to break in. Every day, researchers come across new variations of malware, cyber attacks and new security incidents. It can often feel impossible to scale security with product development. Innovation is outpacing traditional security measures, and it will take a unique combination of man and machine for security to keep pace.
Automation can handle the volume of data, and catches security-related defects quickly throughout the software development lifecycle. It can quickly identify vulnerabilities they recognise, and learn patterns and trends over time. However, machines often miss rare, deep-rooted problems, like multi-stage vulnerabilities or complicated issues like Insecure Direct Object References (IDOR). Cyber threats are constantly evolving, and AI needs time to relearn and retrain to keep up with the evolution of attacks. Moreover, the technology is still relatively new, and known to be plagued with false positives. In addition, AI can also be exploited by cyber-criminals to spread malware,
effectively crippling your security.
That is where HackerOne comes in to enhance the machine model with human ingenuity. To uncover the undetected, you have to enlist the human creativity that hackers naturally possess. To do it at the speed of modern DevOps, you need to deploy this human creativity at a scale you won't find anywhere. We often note that cyberthreats and risks are growing faster than ever before. It’s growing faster than our budget, faster than our resources. But there is one thing that is growing faster - faster than all of this. That is the community of ethical hackers.
And that is why, the future of cybersecurity lies in Human Intelligence.
According to the 4th Annual Hacker-Powered Security Report recently published by HackerOne, ethical hackers find a software vulnerability every 2.5 minutes. In 77% of cases, public bug bounty programs receive their first vulnerability within the first 24 hours. For the U.S. army, it only took 5 minutes. That is the speed of hackers and the power of crowdsourced security.
Hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society. The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations. Some hackers are security engineers and consultants themselves, looking to sharpen their skills. Hacking part time has helped in their daily job, as they learn how to think like a hacker. The additional skill set also adds value to their resume, increasing their value to the company, and making them more hireable.
The Power of Hackers
In an era of increasing uncertainty and unprecedented challenges, more security leaders are partnering with hackers to make the internet a safer place. CISOs are augmenting security frameworks with hackers’ human creativity and always-on security efforts. In fact, HackerOne has recorded tremendous year-on-year program growth in 2020 as compared to the previous year. Results showed Asia Pacific (APAC) adding 93% more programs and Latin and South America (LATAM) adding 29%.
Hacker-powered security has become a best practice for many organisations, embraced by risk-conscious entities like the U.S. Department of Defense and Goldman Sachs. It is now recognised as a critical part of any mature security strategy. Each of these hackers come from diverse backgrounds and possesses deep knowledge, bringing a myriad of skill sets and unique perspectives to counter cyber threats, and protect your assets — just imagine the sheer number of talented eyes keeping you safe!
Today’s challenges demand scalability, creativity, and adaptability on an unprecedented scale, and hackers are prepared to meet those demands. With hacker-powered security, organisations are able to tap the global hacker community, to have as many eyes on their assets as possible, and that also give security teams clarity to blind spots. Security vulnerabilities are a fact of life. You can’t opt out. You can’t ask criminals not to attack you. However, you can ask hackers to help. While AI and automation can handle the grunt work, organisations still need skilled human eyes to see problems and solutions that computers can’t. And, the earlier in the process you have hackers engaged, the better off you will be.