Why The Future of DevOps Needs Hackers?
By : John Baker | Thursday, July 02 2020 - 17:45 IWST
John Baker - Security Engineering Manager and Bug Bounty Advisor for HackerOne
INDUSTRY.co.id - In my days as a Quality Assurance (QA) Engineer testing hospitality software, functional testing was seen as the last step before deployment and release. Any major defects found in the QA cycle had to be reported, and triggered the need for an entire development cycle again. This often means delaying the release by weeks or months.
Likewise, the same goes for security. If security is the last step in the development cycle, vulnerabilities found right before release are much more time consuming and costly to fix. With the move towards Agile Software Development and DevOps, it’s much more important than ever to consider building security testing in the process, as compared to leaving it till the last step before release.
Today, many companies are implementing DevOps best practices for the promise it brings. Improved deployment frequency means faster time to market, lower failure rate of new releases, and fewer security incidents. When we think of the future of DevOps, we think of the concepts of flow, feedback and continuous learning — the three core principles from waterfall to agile development. Development flows and feedback loops that suspend individual coders and hackers, squads and open source projects, spanning multiple organisations like the rising tide that floats our boats, flowing, feed-backing and improving our knowledge.
Where do ethical hackers fit in this flow of DevOps?
Finding vulnerabilities before the bad guys
Security is a continuous process. Even with multiple security solutions and security teams working round the clock to protect your IT systems, there is no guarantee that you will not be hacked. This is because there are always loopholes that are overlooked, or zero day attacks waiting to be exploited. The bottom line is that vulnerabilities exist, and hackers are looking for them anyway so it’s better to harness the power of ethical hackers before bad actors exploit them.
Leading global ecommerce company, Shopify, realised early on the type of impact that ethical hackers could have on strengthening security. What started in 2013 as a self-run, email-based bug bounty program with a security team of one, has now become a fully-fledged public program with a Trust and Security team of more than 100. Just in five years, the Shopify bug bounty program has paid out over US$1,000,000 in bounties and resolved more than 1,150 vulnerabilities thanks to hackers. They saw working with ethical hackers on a bug bounty program as a means of broad and non-stop testing far beyond what any internal security team alone could accomplish; and that blanket of coverage extends downstream into engineering and development, adding another “guardrail” on the software development lifecycle.
Pete Yaworski, Senior Application Security Engineer at Shopify, recently stated: “Security is not a one-time thing, but a continuous cycle. We know that there are always going to be bugs in software development. As we develop, and as we iterate, we want to make sure security is an active part of that process, and never a roadblock to innovation. The HackerOne bug bounty program allows us to put another cog in the wheel of security.”
As you can see, ethical hackers are already feeding back into the flow of code that is developed by some of our customers and services that you may already be using in your day to day lives.
Enhancing your security operations arsenal
Every day, we come across new variations of malware, cyber attacks and new security incidents. It is impossible for security teams to continuously keep up and validate security controls. However, with a bug bounty program, organisations are able to tap the global hacker community, to have as many eyes on their assets as possible, and that also give security teams clarity to blind spots.
The Singapore government is a leading example when it comes to adopting hacker-powered security, as part of its ongoing initiative towards building a secure and resilient smart nation. The Ministry of Defence (MINDEF) and the Government Technology Agency (GovTech) in Singapore has carried out multiple programs with HackerOne since 2018, and is continuously engaging HackerOne’s community of hackers to search for security weaknesses in their assets, so that they can be safely resolved and therefore enhance the safety and security of these systems. Building on the momentum of previous successful programs, GovTech Singapore decided to launch a Vulnerability Disclosure Program (VDP) with HackerOne in October of 2019.
The cybersecurity advisory panel of the Monetary Authority of Singapore (MAS) also recommended that financial institutions adopt bug bounty programs as part of cyber testing. In addition, Singapore paid a total of US$386,192 in bounties in 2019, the most in the whole APAC region, and more than most European countries.
Through its continuous collaboration with HackerOne and fostering close relationships with ethical hackers, the Singapore Government is one step ahead in the ongoing battle against cybercriminals and ensuring that end users and their data are safe online.
Shift left in your Software Development Life Cycle (SDLC)
Data from bug bounty programs can help organisations identify the problems and understand how they secure and future-proof digital assets further down the line. With bug bounty, testing is continuous, ongoing and mirrors the SDLC. Data from the bug bounty can help aid innovation, speed up processes, and give the development teams a better handle on what vulnerabilities are likely to be introduced, therefore speeding up successful delivery rather than slowing it down.
Spotify’s bug bounty program helps inform the company’s “Golden Paths” engineering strategy, setting out the best way to build products. This consists of a set of APIs application frameworks and runtime environments that allow Spotify engineers to develop and deploy code securely and at scale. From the bug bounty program reports, Spotify has found that the more development adheres to a “Golden Path”, the less likely there is to be a vulnerability reported. The data shows Spotify that it’s possible to maintain autonomy and decentralisation in development teams while ensuring high quality. Learn more about Spotify’s bug bounty program here.
In summary, hackers have a key role in ensuring that the speed of security keeps pace with the speed of DevOps. There is no faster way to find security vulnerabilities than working with hackers. Hackers can also enhance your security arsenal and help you shift left in your SDLC process. The sooner vulnerabilities are found, the easier they are to fix. And there is no faster way to find vulnerabilities than working with hackers. We know more about the community of hackers than we ever have, and they are here to hack for good.