HackerOne calls for end of security by obscurity

HackerOne, a bug bounty platform provider, offered a blueprint for greater corporate security responsibility and called for a shift from secrecy to transparency when dealing with vulnerabilities in a report released Thursday.

Organizations are increasingly scrutinizing the practices of their suppliers, basing procurement decisions on security credentials and switching suppliers should the company have experienced a security incident, the report noted. Demonstrating secure best practices is now a competitive differentiator.

To demonstrate a company is adhering to best practices, the report recommended it commit to the four tenants of corporate security responsibility: transparency, collaboration, innovation, and differentiation.

Distrust between organizations and third-party researchers

According to survey data gathered for the report from 800 security leaders, 64% maintain a culture of security through obscurity. Not admitting weaknesses and asking for help fixing them can cause significant damage to a brand should a “secret” vulnerability be exploited, the report explained.

To create greater transparency, the report recommended building a culture of openness, avoiding assigning blame when incidents happen, providing third-party researchers with a clear process for reporting vulnerabilities, and taking an open approach to stakeholders should a breach occur.

The report also revealed a lot of distrust between organizations and third-party researchers. Sixty-seven percent said they’d rather accept software vulnerabilities than work with hackers, while 50% of hackers admitted they hadn’t disclosed a bug because of a previous negative experience or the lack of a channel to report it.

A lack of trust makes everyone a potential cyber enemy, the report maintained. To avoid that and promote collaboration, HackerOne recommended encouraging third parties to report vulnerabilities, setting up regular security briefing sessions with company brass, and translating security risk into risk to the business.

Suppliers’ cybersecurity best practices as important as cost

A common criticism of security is it slows innovation by increasing the time it takes for development teams to produce software. That need not be the case, the report maintained. Early testing and continuous testing throughout the development lifecycle are ways to avoid security snags. “Security teams should facilitate development, not block it,” the report said.

To reduce friction between security teams and developers, the report recommended involving development teams in the security process, rewarding developers for fixing security issues, and holding cybersecurity awareness sessions across the organization.

Good cyber practices can be a major differentiator for a company, and an important consideration when suppliers are chosen, according to the report. Sixty-three percent of organizations told HackerOne’s researchers that cybersecurity best practices are as important as cost when they choose a supplier, and 62% said they’d take their business elsewhere if a supplier suffered a data breach. Fifty-three percent of organizations admitted they had lost customers as a result of a data breach.

The report recommended that robust security checks be performed on suppliers, including proof of compliance with privacy laws, a third-party audit of a security framework, current pen-tests, multi-factor authentication, a vulnerability disclosure policy, and single sign-on. It also recommended following Google’s Minimum Viable Secure Product guidelines.

“[T]here’s no surefire way to prove your security credentials or to know whether one of your suppliers might be the next victim of a data breach,” the report noted. “However, encouraging your organization and your supply chain to commit to the tenets of corporate security responsibility will drive brand trust and set your organization apart as one that demonstrates its active commitment to security.”