A poll of CISOs about trusting bug bounty programs has revealed what makes them uneasy about hacker-powered security.
Picture a hacker in a dark room wearing a hoodie and tapping away at the keyboard, siphoning funds and creating hysteria and misery.
It is not the darkness that we fear, it is what’s in the dark. We fear what we cannot see. With the negative stigma that has historically surrounded the term ‘hacker’, it is easy to see why some organizations are concerned when it comes to adopting hacker-powered security.
The good news is that the perception of the term ‘hacker’ has been changing, especially in recent years, with the rise of bug bounty programs and ethical hacking. Some of the best hackers today are security engineers and professionals in the InfoSec industry who are also hacking for good in their free time so that companies can improve their security posture.
This incredibly-talented community stands ready to serve the security teams in modern organizations. What started in the darkest underbelly of the internet has turned into a force for good, first as a respectable hobby and as something that talented people could do on the side. But now it is so much more than that—it is a professional calling. Hackers, pen-testers and security researchers who are trusted and respected and providing a valuable service for us all.
In a poll conducted by HackerOne, we asked CISOs to share the top three challenges they face when it comes to adopting hacker-powered security. Their top concerns are highlighted as follows.
1. Lack of resources
Specifically, there are not enough resources to find vulnerabilities before the bad guys and protect their brand:
- 83% of CISOs saw security vulnerabilities as a significant threat to their organization.
- 45% of CISOs admitted pen-testing did not provide sufficient results to keep up in the face of development. Only 12% believed that pen-test was sufficient.
- 64% of CISO said that the pace of development in their organization outstripped the security team’s resources. This number was expected to grow especially if Agile and DevOps practices continued to be implemented without the corresponding changes to security practices.
- There is a limit to how many security professionals an organization can hire on the team. However, when you garner the power of the hacker community, it immediately brings more eyes to your assets. Every five minutes, a hacker reports a vulnerability on the HackerOne platform. In 77% of our programs, hackers find the first vulnerability in less than 24 hours after the initial launch.
- Implementing hacker-powered security saved some companies an average of almost US$400,000 over a period of 3 years—reducing internal security and application development efforts. A big reason for this is because bug bounty programs take a pay-for-results approach instead of pay-for-effort model. In this way, efforts are not duplicated just for the sake of compliance reporting.
2. Lack of Trust
- CISOs and IT professionals have a harder time trusting remote hackers as compared to the pen-test surveyors that they hire on-site in their office.
- 57% of CISOs would rather accept the risks of security vulnerabilities than to invite unknown hackers to fix them.
- Only 26% of CISOs were willing to accept bug submissions from the entire hacking community.
- 54% of CISOs would not be comfortable accepting bug submissions from hackers with a criminal past.
- Again, the origin of this fear is the unknown. If you receive a vulnerability report today through email or LinkedIn or Twitter, you may wonder— who is the sender? It is just an email address, usually associated with a Gmail account. Maybe the English language is not perfect. Then you wonder, how seriously should I take this?
- Hacker-powered security connects organizations with ethical hackers looking to hack for good. In fact, 28% of hackers on HackerOne’s platform said that their main motivation in hacking is to do good in the world. It is not all about the money, although that sure does help, but hackers have helped to resolve over 150,000 vulnerabilities, and 79% run private bug bounty programs that allow organizations to have tight control over specifically which hackers they can invite to participate.
- Even though the perception is different, many bug bounty hackers are security consultants by day, and may very well be the same person on the other side of the connection. We all know that putting a property on the internet will result in thousands of attacks, regardless of whether a bug bounty program is inviting it or otherwise. Daily data breaches and vulnerabilities exploited are not uncommon in the news.
- Hacktivity feeds let you see hacker profiles. You can see who else they worked for, the bugs that they have submitted to date (if public), feedback from existing customers, and even their individual hacker performance stats.
- The bottom-line is that vulnerabilities exist and hackers are looking for them anyway, so it is better to harness the power of white hat hackers before the bad actors exploit them.
3. Stifled innovation
- Another top concern of CISOs is that organizations are slowing down the flow instead of removing obstacles and adapting to the modern software development life cycle (SDLC). Security teams are worried about introducing new vulnerabilities and increasing their risk, resulting in innovation being stifled.
- Security disrupts the flow; it provides negative feedback and it never seems to learn. We have new bugs all the time and this rate is only increasing as more organizations move to implement agile software development and DevOps.
- 86% of CISOs said software projects were stifled due to fears of inevitable security issues.
- 48% of CISOs said their organization spent too much time fixing security issues in code. If security issues are found sooner in the development life cycle, they take less time to fix.
- This is where having a bug bounty program helps. Such programs fit security into innovation. It is a growth mindset. Data from bug bounty programs can help organizations to identify the problems and understand how they secure and future-proof digital assets further down the line.
- With bug bounties, testing is continuous, ongoing and mirrors the SDLC. Data from bug bounty programs can help aid innovation, speed up processes, and give development teams a better handle on what vulnerabilities are likely to be introduced; thereby speeding up successful delivery rather than slowing it down.
To summarize, hacker-powered security enables continuous testing while keeping pace with continuous development in a cost-efficient way.
Hackers can find vulnerabilities before the bad guys do, and this can protect your brand. The sooner vulnerabilities are found, the easier they are to fix. There is no faster way to find vulnerabilities than working with ethical hackers.