HackerOne CEO: Every Computer System is Subject To Vulnerabilities

An anonymous reader writes: Every computer system in the world is vulnerable to hackers and criminals, according to Marten Mickos, CEO of HackerOne. That's nothing new with major data breaches at Yahoo and the federal government. But not to worry, teams of ethical hackers could be an answer to the growing cybersecurity concerns. "There are far more ethical hackers, white hat hackers, in the world than criminals," Mickos told CNBC's "Squawk Alley" on Thursday. "So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch. You're asking the good guys around you to help you see what's wrong with your system and help you fix it." Mickos has assembled 70,000 white hat hackers in his venture-backed company HackerOne. He explains the intent of white hat hackers is to hack for good and not for exploitation.

Second coming of teams of ethical hackers

[sinij]

Keep waiting for the second coming of teams of ethical hackers. Not that this method could not work in principle, it is just corporations are not willing to pay for this, instead often choosing to lawyer up, and as a consequence ethical hackers are rare. On other hand, with a thriving black market for exploits, unethical hackers could easily monetize.

Ethical hacking is like a starving artist gig, you need a day job and could only do this as a side gig.

Re:Second coming of teams of ethical hackers

[martenmickos]

It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclosure programs.

- Marten (HackerOne CEO)

stop the presses

thanks hackerone ceo, nobody knew this until today
glad youre on the case

In other news...

[necro81]

In other news: water is wet. I would like to sell you an umbrella in case you get rained on.

There's certainly a place for that, a ROI point

[raymorris]

As mentioned in the interview, they took 13 minutes to find a major vulnerability in the Pentagon systems. Heck you can have someone run a Nessus scan for you at a cost of about $50, and probably find some significant vulnerability.

Of course it's also possible to go overboard, to spend more on pen testing and security consulting than it's worth, but some really smart security people can be had for under $200 / hour, and in a couple hours they can do a lot of good for a company.

Along the same lines, I think it's definitely worth it to involve a security expert in a about three meetings for any major software project - once when the overall architecture is first being discussed, once when specific plans are in place, and once to review before going live on production. using my self as an example, I've been doing security full time for 20 years, and I know what the common mistakes are. I know what the "smells" are - if you mention certain words, I can tell you those are areas you need to be careful. You don't have to spend a lot to teleconference me for three one-hour meetings, and I can potentially save you millions.

Besides what most people think of as security, "confidentiality", my view of security is "the system continues to operate correctly - even when an attacker is trying to make it fail". That implies that it operates correctly when it's NOT being attacked. My suggestions give you better up time and more reliable results. A simple example is a government system I looked at which was subject to SQL injection on a name field - it had SQL like "INSERT INTO tbl lastname='$lastname'; ". Sure, that's SQL injection, but it also failed on names like O'Reilly - perfectly legitimate customers couldn't use the system. Applying security concepts (it should work correctly even when it's being attacked) made it work much more reliably every day, and at a very low cost.

 

Re:There's certainly a place for that, a ROI point

[Opportunist]

You can have us for a little over 1000 a day. And you can find a LOT of security flaws in a day. I dare say hiring a pentester for 2 days can close 80% of your security holes, and since they're going for the same low hanging fruits that black hats go for, this should make you safe, unless you're a high profile target where someone really, really, really wants to hack you and is willing and able to spend the time for that.