Monday, September 25, 2017

The voice of experience

"The trend is turning and we are heading towards better days." When these words come out of the mouth of someone like Mårten, the light shines through the clouds. Mårten Mickos, CEO of HackerOne, is the current CEO of HackerOne, a security vulnerability coordination and bug bounty platform.

The career history of Mårten has made him go through different stages. He has worked from the production of software, encryption of information, through the globalization of the Internet. He has ample baggage that makes his words increase his weight. On the real situation is clear: "The state of security in online applications and products is miserable." Instead of being a pessimistic scenario is a fact that impulses him to carry on in the business.

He currently works for HackerOne, one of the leading companies in the cybersecurity sector. His first intention was not to work on security: "I had an outdated prejudice that it’s an industry of pessimists who rely on ambulance-chasing and fear-based selling." His point of view changed when he started working on HackerOne.

He discovered whereas old security companies are built on secrecy, hacker-powered security is built on openness and collaboration. And it is clear that soon this model will become indispensable for anyone who develops software. In addition to supporting this sector blindly is able to convince anyone who does not end up relying on bug bounty programs: "Bug bounty programs' platforms only hire those who are looking for bugs for the good of the company."

Despite the darkness of the situation, Mårten is clear "I have never seen a white-hacker moving to the dark side. We have not seen that happen. It could perhaps be argued that a zero-day (if you find one) or exploit is worth so much in the black market that a bounty hunter could be tempted into selling it there rather than getting a bounty from the owner of the system or product. I think the main reason is that the skill to find zero-days only comes over several years, and once you have several years of experience, you also have a professional profile that’s tied to your past accomplishments. You have accomplished so much, and often earned so much as a defender, that it does not make sense to risk it all."

He is aware that although the vulnerabilities we face today will disappear in the future, new ones will appear. It's an innovative way of looking at the cybersecurity market: "It’s an arms race. Actually, I think that software security always was and is an arms race. You can never be perfect, but you must every day be better than the day before, and you must try to be as fast or faster than the adversaries. When you do that, you can reach a state of high security. "

For companies looking to improve their success in 'bug bounty programs' he doesn´t recommend starting with such programs. "I recommend starting with a vulnerability disclosure program (where vulnerability reports are received but there is no financial reward) or a crowdsourced pentest. These two forms of hacker-powered security will allow you to get going without getting overwhelmed."

For any company or organization that’s looking at hacker-powered security, top management and those engaged in risk management need to give their blessing to make the program a part of the overall risk management in the company. "Second, you need to be convinced by software engineers to fix these vulnerabilities." Another detail that he points out is the importance of the good relationship between developer and security department. “We see companies with 20-40 times more software engineers than security engineers. Sometimes the security team is not large enough to handle everything themselves.”

Bug bounty programs are just part of this complex cybersecurity framework. Companies also need to have solutions to get started and stay safe once these vulnerabilities are found. It´s a joy to read the enthusiasm and motivation of people like Mårten Mickos. It is thanks to people like him that despite the bad news and the daily attacks we have clear that the union is the force.


Post a Comment