As the saying goes, if you cannot beat the bad guys, hire them for good!
Security teams are challenged by the radical shifts in software development, from the fast pace and frequent releases to new languages and modern models. In that whirlwind, Chief Information Security Officers (CISO) still have to keep both users’ and employees’ data secure without slowing down the process.
This article will cover three ways that hacker-powered security can help CISOs become more agile.
#1 – It scales with your business
Hacker-powered security is flexible enough to adapt to any software development model, and even any business models. It is already in use by thousands of companies from small startups to Fortune 500 mega corporations. And it works just as well for those dealing with regulatory, industry, or other constraints.
As your business grows, hacker-powered security grows with you. For those just starting to build a security apparatus, it is easy to begin with a vulnerability disclosure policy and a “security@” email address. These programs can be integrated into even small security teams and help introduce hacker-powered security into your current security and development processes.
When you are ready, you can use hacker-powered security to run short-term bug bounty programs, target specific scopes, or run continuous programs across all of your technology. But you always have the control to scale up or down as your needs change. For example, you can start by opening one application to a private, invitation-only bug bounty program to get more comfortable with the triage of incoming vulnerability reports, communicating with hackers, and resolving issues with your developers. Then you can add more applications, open your program to more hackers, and expand your scope over time.
Eventually, you will have the ability to continuously test all of your critical applications with the most diverse and talented group of security researchers on the planet.
#2 – It is customized for your needs
Every business has different requirements. Hacker-powered security is flexible enough to provide effective testing in any industry, for organisations of any size, and for CISOs with unique needs. It is already being used by organisations as diverse as Starbucks, Lufthansa, Goldman Sachs, Uber, Spotify, General Motors, Zomato, Toyota, LINE, U.S. Department of Defense MINDEF Singapore, GovTech Singapore, and thousands more.
Hacker-powered security can be completely tailored to any organisation’s unique requirements. A time-bound bug bounty program can be used to accomplish pinpoint security testing objectives using the diverse hacker community in an incentive-driven model. This crowdsourced penetration testing is helpful when you do not need a full bug bounty program, to meet PCI DSS and SOC2 Type II compliance certifications, and to target a specific scope with only those hackers who have a specific skill-set.
These tests not only help you maintain compliance while increasing security, they can save you money. A recent report by Forrester Consulting suggests that a company switching to hacker-powered security programs for pen-testing stands to save nearly US$300,000 in net present value over three years.
In addition, you can further customize hacker-powered security with background checks and more to meet the rigorous standards of highly regulated companies. You can choose to only use vetted hackers, with testing conducted through VPNs, and the addition of custom agreements to give you complete control over your program.
#3 – It can be built into every stage of the SDLC
Building security into your software development lifecycle (SLDC) without slowing down development is a challenge, but hacker-powered security can help. Its flexibility makes it compatible with every stage of the SLDC.
When hacker-powered security is applied after code is released, the resulting bug reports can help developers think about security during the development process. That leads to a more security-aware engineering team that can work to close gaps before new code is released.
Bug reports can easily be integrated into the tools your developers already use. Apps like Jira, Assembla, Bugzilla, MantisBT, GitLab, and GitHub are common across the SLDC. Incoming reports from the hacker community can inform developers without any changes to their current workflow. Hacker-powered security can also integrate with Slack and other productivity tools to keep teams collaborating and communicating as they work to fix bugs and close security gaps. If you are looking to reduce risk while keeping up with the speed of your developers and release cycles, then hacker-powered security fits right in.
A hacker-powered security program can be as big and public or small and private as you need—or anywhere in between. Starting with a vulnerability disclosure program lets you see the value without overwhelming your security or development teams. Moving to a private bug bounty program and using hacker-powered penetration testing lets you control the hacker resources until you are used to the workflow. Then you can take it public when you are ready to open your scope to truly continuous security coverage.
Hacker-powered security has the flexibility to fit within any SLDC and keep up with your fast-moving release cycles. To learn more, download the ebook, “Next-Gen Application Security: Launch Effective Agile Security for Agile Development”.