Third Pillar of Security

Independent hackers are the third pillar of security, which is often not treated seriously enough. Every business knows that to maintain security, you need the primary pillar: the right employees. Some businesses know that these employees also need the second pillar: the right tools such as Acunetix. However, still not enough businesses know how to deal with hackers and some choose to look the other way.

Luckily, the situation is quickly improving. The Hacker-Powered Security Report 2018 from HackerOne contains several interesting findings. These findings should be important to you if you have any assets that might be accessed from the outside, especially Internet-facing web assets.

Can I Trust a Hacker?

The biggest problem that companies have when working with external security experts is trust. The term hacker is still used mostly in a derogatory manner by media. A lot of people perceive hackers as kids who break into places for fun or as criminals. This could not be farther from the truth and from the original meaning of this word.

Hackers are independent security experts. They are the freelancers of the security world. Instead of working full-time on your internal security team, they prefer to work from their home, for many companies. And, as the Hacker-Powered Security Report 2018 shows, more and more companies want to work with them.

Why Do Security Experts Choose Freelancing?

The worldwide demand for security experts is huge. You would think that everyone who has the right skills and experience should be able to find a good job in this field. However, this is not the situation in every country.

Some of the best-skilled hackers come from countries where the IT industry is heavily underdeveloped. To find full-time employment, they would have to migrate, often leaving their current life and/or family behind. Many of them are not ready for such a decision, so they prefer to work remotely as freelancers.

Few companies hire full-time security experts that work only remotely. Therefore, freelancing for security experts mostly means living off bug bounties. According to the Hacker-Powered Security Report 2018, the best bug bounty hunters are able to regularly make up to 16 times the median IT salary in their home countries. In 2018, a total of 116 critical vulnerabilities came with a payout of over $10,000 and to-date hackers have earned more than $31 million through the HackerOne program alone.

Why Is Bounty Hunting Difficult?

World’s biggest IT corporations are the most security-conscious. Companies such as Google, Facebook, or Microsoft are fully aware of the value of hackers. They have public-facing vulnerability disclosure policies (VDPs), they have well-managed procedures, they offer substantial bounties, and they pay on time. Working with such a partner is a pleasure but the competition is huge so it’s difficult to score a bounty.

On the other hand, smaller software manufacturers pose a different problem. Most companies have no VDPs in place at all. If freelancers find security problems and contact such businesses, they are sometimes treated in an unpleasant way. This may range from ghosting, through denial, all the way to threats of being reported to the authorities! The fact that such treatment happens at all is very disappointing – it should not be the case in the modern IT world.

The Hacker-Powered Security Report 2018 shows that adoption of vulnerability disclosure policies is on the rise but mostly among enterprises. The increase is substantial: 54% year-over-year, but still 93% of the Forbes 2000 do not have public vulnerability disclosure policies. World governments are also among the leaders of adoption. It seems that in this aspect smaller companies have a lot to learn from big organizations.

Web Vulnerabilities Topping Charts

The Hacker-Powered Security Report 2018 contains detailed information about the types of vulnerabilities that were most commonly discovered by independent security experts in 2018. It’s not surprising that the charts are completely dominated by web vulnerabilities. As of May 2018, more than 72,000 vulnerabilities were reported via HackerOne and 27,000 of those were Cross-site Scripting (XSS) vulnerabilities alone.

Other chart-topping vulnerabilities are not specific web vulnerabilities but they are most often found in web assets, too: information disclosure, improper authentication, violation of secure design principles, privilege escalation, improper access control, etc. Remaining typical web vulnerabilities in the top-10 are Cross-site Request Forgery (CSRF), code injection, SQL Injection, and command injection.

How To Work with Hackers?

If you want your assets to be secure and you still don’t have a public-facing vulnerability disclosure policy, you might want to rethink your position as soon as possible. The exponential growth of the market means that the demand for IT security personnel will keep rising quickly. With more and more companies creating VDPs and offering bounties, hackers will have more incentive to stay independent. All in all, in the future you may have no choice but to work with freelancers.

The most important aspect when working with hackers is to understand that their goal is not to harm your business. If it was, they would not be hackers (but criminals) and they would not contact you about a vulnerability (but take advantage of it). Their goal is to earn a living by helping you resolve your problems. If you don’t treat them right, they will publish the findings anyway and spread the word so other hackers won’t touch your product (but criminals will).

What is the Position of Acunetix in All This?

If there were no hackers, there would be no Acunetix. There would be no IT security at all. All the best tools on the market were created by hackers and then developed into comprehensive solutions. All the vulnerability scanners still need hackers and hire hackers (either as part of their teams or as freelancers) to supply you with new vulnerability detection techniques.

That is why Acunetix is very passionate about the hacking community and about bringing businesses and hackers together. Our products are designed to help both businesses and freelancers. By automatically detecting vulnerabilities we make it possible for freelancers to focus on new discoveries. By integrating with other systems, we help businesses assess and manage all the vulnerabilities easily.

To have the best security policy possible, use all the three pillars. Hire the right team to be the core of your internal work. Get Acunetix and other essential tools to take the load off that team and to make their job much easier. And last but not least, design a public-facing vulnerability disclosure policy to work efficiently with external experts.

Tomasz Andrzej Nidecki
Sr. Technical Content Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Senior Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.