Many of the most massive data breaches in recent memory were caused by software vulnerabilities. Many companies have internal processes in place to search for and resolve vulnerabilities, but too often, that's not enough.
Most software engineers are trained to develop a process to go from point A to point B. They often test only for security vulnerabilities or disruption of their processes, missing vulnerabilities that fall outside of the most direct data paths.
It needn't be this way. There's a whole ecosystem of hackers out there who want to mitigate the problem of data breaches that can result from all kinds of vulnerabilities.
These hackers are also known as "security experts" and "white-hat hackers." They're the good guys: young, talented, motivated hackers who can find weaknesses within systems so that they can be resolved before the bad guys can exploit them. They’re a fresh set of eyes on systems and often find complex security flaws missed via routine methods.
That’s why hacker-powered security is so valuable to companies that leverage it. What's more, internal security teams can learn from hackers. Hackers can help internal teams see larger trends, better identify risks, spot where changes can be made during development to boost security, and prioritize which vulnerabilities should be addressed first.
Unfortunately, hackers often—and unfairly—get a bad rap. Here's how and why you need to embrace hackers to protect data and boost your security game.
Understand the hacker
The Cambridge Dictionary defines a hacker as "a person who is skilled in the use of computer systems, often one who illegally obtains access to private computer systems." While there are bad actors in every profession, most hackers are the good guys and have the best intentions. They don’t do what they do out of ill intent—they’re creative problem solvers. In fact, a recent survey by Infosecurity Europe found that 70% of IT professionals believe that the Cambridge Dictionary should remove the word illegally from its definition.
But despite the obstacles, hackers are making tremendous contributions to data security. In the last year, the number of vulnerabilities related to insecure storage of sensitive information that were reported increased 38 times from the year before, according to "The Hacker-Powered Security Report 2018." There was also a 22% jump in reported high or critical severity vulnerabilities, according to the same survey.
Bug bounties on the rise
It’s only natural that the number of organizations adopting bug bounty programs and partnering with hackers has similarly increased to combat these threats. The government is leading the way in adopting vulnerability programs (look no further than the U.S. Department of Defense, a paragon in the cybersecurity world), and brands such as Toyota, Nintendo, and General Motors are also running successful programs.
Take for example the work hackers have done with the Department of Defense (DoD). The Pentagon has received more than 5,000 reports since implementing its Vulnerability Disclosure Program (VDP) in 2016, and HackerOne has also conducted six bug bounty challenges for the overall DoD, the Army, the Air Force (twice), the Defense Travel System (DTS), and the Marine Corps.
Reina Staley, chief of staff at Defense Digital Service, was quoted in the HackerOne report as saying that millions of government employees and contractors use and rely upon key enterprise systems every day, and “any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission."
"These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”
—Reina Staley
Open the doors to the hacker community
While these projects are encouraging, there's still a lot of work to be done. Nine out of 10 companies on the Forbes Global 2000 list do not have a policy to receive, respond to, and resolve bug reports submitted by the outside world. That's a problem.
One quarter of hackers do not report vulnerabilities they find because the implicated company doesn't have a way to disclose it. That means the vulnerability remains unresolved, putting company and its customer data at risk.
For hackers to continue to help keep data safe, companies should put all options on the table to safeguard the data they have a responsibility to protect. That means making cybersecurity a priority, implementing a VDP, and working with the community of hackers who want to help.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
