HackerOne calls for end of security by obscurity

HackerOne calls for end of security by obscurity

The bug hunting platform offers a proposal for greater corporate cyber security responsibility and transparency.

Credit: Dreamstime

HackerOne, a bug bounty platform provider, offered a blueprint for greater corporate security responsibility and called for a shift from secrecy to transparency when dealing with vulnerabilities in a report released Thursday.

Organisations are increasingly scrutinising the practices of their suppliers, basing procurement decisions on security credentials and switching suppliers should the company have experienced a security incident, the report noted. Demonstrating secure best practices is now a competitive differentiator.

To demonstrate a company is adhering to best practices, the report recommended it commit to the four tenants of corporate security responsibility: transparency, collaboration, innovation, and differentiation.

Distrust between organisations and third-party researchers

According to survey data gathered for the report from 800 security leaders, 64 per cent maintain a culture of security through obscurity. Not admitting weaknesses and asking for help fixing them can cause significant damage to a brand should a "secret" vulnerability be exploited, the report explained.

To create greater transparency, the report recommended building a culture of openness, avoiding assigning blame when incidents happen, providing third-party researchers with a clear process for reporting vulnerabilities, and taking an open approach to stakeholders should a breach occur.

The report also revealed a lot of distrust between organisations and third-party researchers. Sixty-seven per cent said they'd rather accept software vulnerabilities than work with hackers, while 50 per cent of hackers admitted they hadn't disclosed a bug because of a previous negative experience or the lack of a channel to report it.

A lack of trust makes everyone a potential cyber enemy, the report maintained. To avoid that and promote collaboration, HackerOne recommended encouraging third parties to report vulnerabilities, setting up regular security briefing sessions with company brass, and translating security risk into risk to the business.

Suppliers’ cyber security best practices as important as cost

A common criticism of security is it slows innovation by increasing the time it takes for development teams to produce software. That need not be the case, the report maintained. Early testing and continuous testing throughout the development lifecycle are ways to avoid security snags. "Security teams should facilitate development, not block it," the report said.

To reduce friction between security teams and developers, the report recommended involving development teams in the security process, rewarding developers for fixing security issues, and holding cyber security awareness sessions across the organisation.

Good cyber practices can be a major differentiator for a company, and an important consideration when suppliers are chosen, according to the report. 

Sixty-three per cent of organisations told HackerOne's researchers that cyber security best practices are as important as cost when they choose a supplier, and 62 per cent said they'd take their business elsewhere if a supplier suffered a data breach. Fifty-three per cent of organisations admitted they had lost customers as a result of a data breach.

The report recommended that robust security checks be performed on suppliers, including proof of compliance with privacy laws, a third-party audit of a security framework, current pen-tests, multi-factor authentication, a vulnerability disclosure policy, and single sign-on. It also recommended following Google's Minimum Viable Secure Product guidelines.

"[T]here’s no surefire way to prove your security credentials or to know whether one of your suppliers might be the next victim of a data breach," the report noted. "However, encouraging your organisation and your supply chain to commit to the tenets of corporate security responsibility will drive brand trust and set your organisation apart as one that demonstrates its active commitment to security."


Show Comments