When I arrive at the anonymous south London building that houses the offices of bug bounty programme operator HackerOne, the front desk is unmanned and there is a little sign that says, “Back In Five Minutes”. My head is filled with visions of hopping the barriers right now and pwning the pen testers.

Unlike me, the man I am here to meet, Shlomie Liberow, has made a career out of hacking things, but he started out as a developer with a computer science degree – mostly because he wanted to know how to make things before he got to break into them.

“I worked for BAE Systems, as a developer at first, to get a feel for how corporations build things. I was working security as a sideline, in terms of research. I did a lot of reading, listened to a lot of podcasts. And then I started doing a bit of bug bounty hunting,” he says. “I submitted my first bug about four years ago, to Dropbox. It was a duplicate.”

Liberow took his first official steps into the world of cyber security as a consultant and ended up working with high-net-worth individuals, a proactive role that saw him provide cyber security training and conduct pen testing exercises such as phishing simulations.

Now, as HackerOne technical programme manager, Liberow spends his working life helping organisations develop bug bounty programmes (BBPs), from inception through development to launch and operation, covering programme design, training, structure and so on. He still gets to break things, albeit on his own time to avoid a conflict of interest.

How bug bounties work

So what is HackerOne, and what is a BBP? At its core, Liberow describes it as a concept that complements existing cyber security processes and procedures.

“The idea behind HackerOne is that every mature company has some sort of security team, but regardless of how talented it is or how big it is, there will always be areas it can’t necessarily cover simply because it lacks resources, or because it lacks knowledge,” he says.

“It’s practically impossible to cover all your bases, so our model is to say, ‘Whilst you do all those security processes, we’ll open it up to anybody who wants to attempt to find bugs and vulnerabilities in a safe and rule-based manner’.”

“Every mature company has some sort of security team, but there will always be areas it can’t necessarily cover simply because it lacks resources, or because it lacks knowledge”

Shlomie Liberow, HackerOne

Through partnering with the hacker community – HackerOne has approximately 500,000 hackers on its books – organisations can leverage the abilities of ethical security researchers who are trusted and well-intentioned, and can maybe bring a different approach to things due to their specific interests and areas of expertise, which are not necessarily public or widely available.

“You get to use their experience and their approach to find bugs in your company and make yourself more secure. The cool thing about it is that you get to use those 500,000 hackers without cost until they find a bug,” says Liberow. “Worst-case scenario – you have lots of eyes on you, but nothing’s found, so no harm done.“

From private to public

For HackerOne, there is no such thing as an average client. Liberow brackets them in terms of maturity, in terms of what infrastructure they have, in terms of how exposed they may be, how much risk they face, and how much risk they want to take on.

It is by assessing these factors that he builds models that let him understand how best to tailor a BBP to the client’s unique needs.

“There’s no value in them getting 100 bugs in the first month but having no way to fix them, so I want to work in tandem with their security team to figure out what they’re capable of handling, what they’re interested in having tested, and where they think their weaknesses are,” he says.

Initially, clients will be exposed to various groups of hackers depending on how HackerOne has categorised them. Clients in very high-risk buckets or sensitive industries such as defence will only be targeted by extensively vetted hackers certified on the HackerOne Clear programme, an elite group of about 500 individuals.

Clear hackers don’t just receive a thorough background check, they must also be of a certain calibre in terms of ability and reputation on the HackerOne platform, based on metrics such as how impactful their bug reports are, how many valid bugs they’ve found, and so on.

“Generally, those hackers are more high end, more knowledgeable, more experienced and also more interested,” says Liberow.

For other clients, the process is more about matching them to hackers with the right skills, such as expertise in cracking different systems or coding languages.

From there, the BBP will be gradually extended in scope, bringing in more hackers as appropriate, as the client grows in confidence and becomes more willing to open other parts of its infrastructure for testing.

“You start small and then scale as they get more comfortable with the process and as the hackers get more comfortable with the scope of the project. The long-term goal is to go public, where anybody who finds a bug in your company has an avenue to tell you about it,” says Liberow.

“When you go public that can sometimes be a bit of a shock, just because it sometimes triggers a lot of extra attention. So we tend to be quite conservative in how fast we bring a company to a public state.”

For those that are leery of going totally public, HackerOne also runs vulnerability disclosure programmes (VDPs). The key difference between a BBP and a VDP is that clients running the latter typically don’t offer a monetary reward, merely a way for hackers to responsibly disclose vulnerabilities without getting in trouble or wasting time trying to find the right contact. Many clients find a VDP is a little less pressured than a full public BBP.

“I found one last night,” says Liberow. “It was a critical bug, and typically, five to 10 years ago I wouldn’t have known who to talk to or if I would get in trouble. I wasn’t even looking for it, I was doing some research and happened to find this system, but through a VDP I was able to send a message about it.”

“A good example is the NCSC [National Cyber Security Centre]. If you discover an issue in any UK government infrastructure, you can send a report through the NCSC. Typically government can be quite intimidating – who wants to send a message to a government institution and say, ‘Hey, look, there’s a bug!’?”

He continues: “I actually submitted to the NCSC this morning as well, and the response came in under 90 seconds. That’s phenomenal timing in comparison to before. I once sent a message to a UK government institution and I messaged them on Twitter – they asked me to send them a letter in the post with the bug. They wanted me to actually write a letter, I guess, with the code in it, and post it to them. Which, of course, I never did.”

Security without shame

Opening up your organisation to a VDP or BBP can be a daunting step for many. It’s easy to see why security teams and CISOs might feel threatened by the idea of inviting hackers to probe their defences.

Fears over what hackers might find and what that might mean for the organisation or your job are perfectly justifiable, says Liberow, so it’s important that alongside VDPs and BBPs, clients try to change their mindsets, and think about security without attaching shame or stigma to it.

Yes, incidents are inevitably going to happen, he says, and that’s not acceptable, but it is perfectly understandable, and it’s not worth trying to apportion blame for them.

“Initially you have to be quite brave, and be quite confident to say, ‘We’re comfortable enough to say you’ve found this bug and this is what the cause of it was, this is what you’ve done to fix it’,” he says.

“It can take time to get security teams comfortable, but it’s down to the organisation they work in to allow them that comfort and say, ‘We appreciate that you’re great at your jobs, you know what you’re doing, however, it’s impossible to do everything all the time’. That way, when a bug is found, they don’t look down to security and say, ‘Hey, why did that happen?’.”

Many of HackerOne’s clients have, over time, got much more comfortable with the process, and become more open and public about the bugs the hackers uncover because they’ve learned not to be shamed by it.

“Bugs are always going to be found because of how much organisations are doing every day. The more that technology leaders are happy and open to publicising bugs, the less shame and stigma there is in it”
Shlomie Liberow, HackerOne

“Bugs are always going to be found because of how much organisations are doing every day, how many services they have and systems and infrastructure. The more that technology leaders are comfortable to say they’re perfectly happy and open to publicising bugs, the less shame and stigma there is in it,” says Liberow.

To help with this, HackerOne does its best to make sure it never goes over the heads of client security teams.

“It’s important to make sure it’s not seen as the security team competing with us,” says Liberow. “They are the ones helping us run the programme, they’re going to give us as much information as possible because it comes down to an appreciation that they’re not going to know everything – no one does, even our best hackers don’t.

“A lot of this is just down to appreciating that hackers are extremely creative, and the best you can do is take that, fix the immediate problem and try to think, in the future, where else might something come up? And what can I do today to ensure it doesn’t?”

Ultimately, says Liberow, a VDP or BBP helps an organisation take control of the messaging around its security posture.

“Companies are being forced into this space more and more against their will because they’re found vulnerable by a malicious hacker, and that’s exploited whether they like it or not, so then they have their brand identity associated with a leak or hack. We would rather they took control of the message.

“And if something like that does happen, but they’ve been running a bug bounty programme, it demonstrates to a customer that they care about security – they may not have found the vulnerability but they do have the processes in place.

“If I’m signing up for a product in a personal capacity, and the company has a bug bounty programme and they’ve released X reports, it doesn’t really put me off,” he concludes.

Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App



[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]


National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.