At HackerOne’s recent Security@ global cybersecurity conference, three HackerOne experts—CTO and Co-founder Alex Rice, Senior Security Technologist Kayla Underkoffler, and Security Engineer Chris Dickens—presented practical approaches to how the industry can work together to address vulnerabilities with the help of ethical hackers. HackerOne also broke some news by announcing the expansion of the innovative Internet Bug Bounty program to secure open-source software.
Alex Rice was Head of Product Security at Facebook when the social media giant first introduced a bug bounty program in 2012. The initial results surprised him. More than 30% of vulnerabilities identified by hackers were not in first-party Facebook code.
“It wasn’t stuff that my engineers were writing,” Rice recalled. “They were in code from vendors, partners, open source—the supply chain. Struggling to get suppliers to accept responsibility for their vulnerabilities was one of the core driving factors in my decision to found HackerOne.”
Nearly a decade later, the problem of supply chain attacks is worse. The effective technique of compromising trusted software that suppliers ship to their customers has escalated. Recent headlines tell the story. Most notable was the 2020 SolarWinds cyberattack, where malicious code spread undetected for months among clients and allowed Russian hackers to spy on organizations worldwide, including U.S. government agencies like the Department of Defense.
It’s a complicated problem when open-source and third-party software have become integral parts of software supply chains. Because the average supply chain uses nearly 150 open-source components, it introduces considerable risk to digital environments and is outside the direct control of most organizations.
According to Rice, “The European Union Agency for Cybersecurity (ENISA) found that over the past 18 months, 66% of attacks targeting organizations came from compromised supplier code. And the same percentage of suppliers couldn’t say when or how they were hacked.”
“Because of the interconnected nature of supply chains today, the security vulnerabilities of your vendors become your vulnerabilities. It’s a shared problem that requires a shared solution,” said Rice.
“We really need to get people to stop ignoring our supply chains and get somebody to accept responsibility for it,” he added.
Rice, Kayla Underkoffler, and Chris Dickens offered some common-sense strategies to confront the problem. One key emphasis: organizations are in this together.
Vulnerability Disclosure Policy
Underkoffler described the typical sequence of events in a supply-chain vulnerability. It’s discovered. It’s identified back to a supplier. Then, you wait.
“The clock is already ticking, and the time it takes you to find the right person to start the remediation process, the longer you remain vulnerable and at risk,” she said. “Every moment you take chasing down your supply-chain vendors is a moment too long.”
That’s why it’s essential to set clear expectations with vendors. That includes a “see something, say something” policy where they accept responsibility for fixing issues. Specifically, it means creating a Vulnerability Disclosure Policy (VDP) to help speed up the process.
“That cuts the exposure window much shorter,” Underkoffler said. “And then, boom! It’s off to be triaged and remediated. We believe that everyone should have a VDP.”
No formal VDP requirements exist today, but the good news is that industry trends are moving toward considering VDPs a vendor best practice. Sixty-three percent of global organizations now expect their suppliers to have a VDP.
Underkoffler also offered recommendations about what to look for as you assess vendor security. “If they don’t have a VDP or established protocols to address issues, those are red flags,” she said. Also, ask about the specific number of vulnerabilities they’ve remediated in the past 12 months. It’s a way of proving the vendor has a high-functioning response process in place.
Dickens pointed out that the National Cyber Security Centre in the UK recommends suppliers should provide evidence of their approach to security and their ability to meet minimum requirements. Yet only 12% of organizations follow that guidance.
“One theory is that traditional penetration testing hasn’t adapted to the speed and scalability needed to keep pace with a modern software supply chain,” Dickens said. “There’s a security skills shortage as well. It’s hard to find the right people to perform these tests at the right time.”
It’s become an unrealistic challenge when the typical business has hundreds of suppliers. But a practical solution is hacker-powered penetration testing. Dickens explained how HackerOne’s hacker community has the specific skills to run penetration tests immediately when they’re needed.
One success story is Zebra Technologies. HackerOne helps the business ensure the security of products with a network of approved hackers. Penetration tests provide Zebra and its customers with greater confidence about the safety of newly released software.
“The downstream effect of this is they’ve got a more secure product for their customers,” Dickens added.
Securing Open Source
Open source is the Achilles heel of the supply chain because it represents a growing portion of the world’s critical attack surface. It’s always been a struggle to secure through traditional approaches. When a problem impacts everyone, it can seem like no one is responsible for the solution.
HackerOne stepped up in 2013 as a founding member of the innovative Internet Bug Bounty (IBB). The program pools funding to incentivize security research to report vulnerabilities within open-source software. More than $900,000 in bounties have been awarded to nearly 300 friendly hackers for uncovering over a thousand flaws in open-source software.
The next evolution of the program was announced at Security@ 2021. The scope is being broadened to address supply-chain issues. HackerOne is joining forces with other progressive companies like Elastic, Facebook, Figma, GitHub, Shopify, and TikTok to introduce new, unified defense capabilities. They will include additional funding to help cover the costs of remediation.
“We are all in this together,” Underkoffler said.
“Everyone should want to take on the challenge of securing their open-source dependencies through the collective power of the IBB,” Underkoffler said. “The reason this model works is that you’re not alone. We all depend on the same open-source software. Therein lies the risk, and therein lies the power of the IBB.”
As Rice added, “Securing the supply chain is the responsibility of the entire industry.”