In the rush to launch, cybersecurity doesn’t always get the attention it deserves, and yet it’s one of the first things that startups learn can — and will — go wrong.
Hacker and security researchers can be some of your biggest assets in helping your startup stay secure. Vulnerability disclosure and bug bounty programs are part of working with the hacker community to build a stronger, more resilient company. But these are not a replacement for security investments, which as a growing company you should not overlook.
Katie Moussouris has been in cybersecurity circles since some of the world’s biggest tech companies were startups, and helped to set up the first vulnerability disclosure and bug bounty programs. Moussouris, who runs consultancy firm Luta Security, now advises companies and governments on how to talk to hackers and what they need to do to build and improve their vulnerability disclosure programs.
At TC Early Stage, Moussouris explained what startups should (and shouldn’t) do, and what priorities should come first.
Knowing the basics
A bug bounty alone is not enough, and outsourcing the process to a platform isn’t going to save you time. Moussouris explained the basics and what differs between vulnerability disclosure, penetration testing and bug bounties.
Vulnerability disclosure is the process by which you hear about vulnerability from the outside. You digest that vulnerability somehow internally in your organization and figure out what to do with it — whether to create a patch, how to prioritize that patch, and then what to release to the public [ … ] What it comes down to is that organizations need guidelines on how to handle these issues appropriately.
Next we’ve got penetration testing: hiring professional hackers under contract [who have] a specific set of skills that match your problem set, and you pay them. They’re under a nondisclosure agreement (NDA) to keep your vulnerabilities secret for as long as you need them — perhaps forever — and you are at your leisure as to whether or not you fix those vulnerabilities.
Finally, bug bounties are simply adding a cash reward to the process of vulnerability disclosure programs. (Time stamp: 3:20)
- Talkspace threatened to sue a security researcher over a bug report
- Two hackers behind 2016 Uber data breach have been indicted for another hack
ISO standards are your friend
You may not think much about ISO standards when it comes to trying to stop hackers from breaking in, but these standards are useful in helping companies offer different products and services a common language.
Moussouris explained that there are two main ISO cybersecurity standards that companies should know about: ISO 29147, which describes how to receive vulnerability reports from someone, and ISO 30111, which is the “digestive system” for handling and fixing vulnerabilities.
Not everybody is really ready to implement both of these ISO standards. But if you intend to fix vulnerabilities at all, whether you find them yourself or somebody from the outside reports them to you, you need at least the digestive system. (Time stamp: 6:40)
- Tesla’s new bug bounty protects hackers — and your warranty
- Security startup Bugcrowd on why cybersecurity is ‘a people problem’
Fixing bugs internally is cheaper
A vulnerability disclosure program or a bug bounty are not a substitute for running your own security checks, following best practices, and stress-testing your product. Hiring penetration testers can weed out bugs and flaws before your product makes it out of the door.
If you’re a startup, you are trying to put all of your money where you’re going to get the most bang for your buck. When it comes to security, you can be told that bug bounties are cheaper and more effective than penetration testing. They might be in certain, very limited circumstances. But we’ve known for a very long time that actually finding bugs at the end of the software development lifecycle after the fact is up to 45x more expensive than if you had invested in building security in from the ground up. (Time stamp: 12:59)
But nothing is unhackable, which is why it’s important to allow hackers and researchers to contact you and have processes in place to handle, triage and fix security bugs when they come in.
So where does all the actual operational work take place? Those ISO standards.
That’s the little piece of the work that bug bounty platforms can take care of for you. It’s a ticketing system with some initial triage. Where does the work make the most sense for you to be investing? It’s in your layers of doing that prioritization, differentiation. (Timestamp: 13:43)
Bug bounties will produce a ton of reports of varying quality that are difficult to sift through and prioritize. That requires labor. Bug bounty platforms can help with this. And once you know what these vulnerabilities look like, you can incorporate those learnings into your software development process so that a single bug report can stretch a long way.
You should be incorporating these learnings into your secure software development lifecycle, and introducing new processes, new skills to your developers and your testers such that you never make the same mistake more than once. (Time stamp: 14:28)
You can read the entire transcript here.
You can also check out other sessions from Early Stage here.