UPDATED 17:08 EST / SEPTEMBER 22 2021

APPS

HackerOne powers DevOps-security connection to strengthen cloud application protection

The digital transformation accelerated by the COVID-19 pandemic has brought previously unimaginable security challenges. Organizations’ attack surface has increased as applications have migrated to the cloud to meet the needs of remote working and learning, and software has been released much faster, at a pace that traditional security models already struggle to keep up with.

The enterprises that will be most successful in this new environment are those that break down the walls between the DevOps and security teams, according to Alex Rice (pictured), founder and chief technology officer at HackerOne Inc., a bug bounty startup that relies on “ethical hackers” and other solutions to strengthen the security of cloud applications.

“If you have a development and an operations team, which are the two core functions there, that don’t take hands-on responsibility for the security of what they’re developing and operating, you’re in trouble,” he said. “The more you try to outsource that to another team, another set of expertise, the worse you are going to be.”

Rice spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event. They discussed how the current digital transformation is changing businesses’ security needs, HackerOne’s solutions to strengthen security in the cloud, and how the startup has scaled up its offerings to Amazon Web Services Inc. (* Disclosure below.)

Different programs against cyberattacks

While ideally there should be no barriers between development and security roles, most organizations are not yet structured in this way. They have a DevOps team and a security team, which are often in a somewhat antagonistic relationship, according to Rice.

HackerOne offers a mature security program for these companies while working closely with them to try to break down these barriers.

“And, increasingly, technology leaders are engaged and hands-on and are looking for ways to make this better,” he said. “Five years ago, the CISO was almost always our main buyer and our main point of contact. It’s much, much more common now to see VPs of engineering, CIOs and CTOs have direct-line responsibility for security teams.”

In today’s modern IT architecture, where companies increasingly rely on the cloud to innovate, the HackerOne security platform offers different types of programs to protect applications. One solution is the company’s vulnerability disclosure program, which in a secure environment invites the public at large to report security issues found in applications.

“It’s incredible the amount of value that software teams receive just from asking this, putting that invitation out there,” Rice said.

For organizations looking for more talented and in-depth analysis of their applications, HackerOne can run a bug bounty program, which is very similar to the public program, but with the difference that the engineering and software teams post bounties for reports on specific types of issues they care about.

The third program model is security assessments, which are punctual and highly targeted, not ongoing commitments.

“When a DevOps team is deploying a new application or releasing a new architecture or running a new infrastructure, when they need a very targeted set of expertise for a constrained timeline to fit into their release processes, we can run assessments of matching just a small number of factors to what you care about and tie all that into your release process,” Rice explained.

Tailored solutions for AWS

As part of its strategy for the cloud, HackerOne has increased its tools for organizations running on Amazon Web Services Inc. Some AWS cloud customers want the always-on security feedback loops that come from bounty programs, because they are continually releasing apps, and therefore HackerOne has had this offer for quite a while, according to Rice.

But the startup also began to see a specific need from customers migrating new applications to AWS on an almost a weekly or monthly cadence: A security testing cycle that would keep pace with that. As a result, the company has rolled out an AWS-tailored version of its security assessment product.

“You can get it in the AWS Marketplace as well that lets you spin up a targeted security assessment on demand through your native AWS tooling, whenever you need it,” Rice stated.

All these findings are then integrated back into the AWS Security Hub and designed in a way that is meant for the DevOps teams and engineering teams that are deploying to be able to see what’s going on.

“We’re not asking folks to break out into specific security workflows. We really fundamentally believe that security accessible to DevOps teams is what’s needed to keep us all moving fast and ship trustworthy … applications in the cloud,” he concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event. (* Disclosure: HackerOne Inc. sponsored this segment of theCUBE. Neither HackerOne nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU