HackerOne’s Security@ was a one-day, invitation-only event held in late October to bring together security leaders, hackers and industry experts to discuss the hacker-powered security movement. Topics ranged from building successful security programs to understanding the latest policies and regulations that impact working with the ethical hacker community. This blog series recaps the event’s keynote presentations and panel discussions.
Marten Mickos on stage at Security@ in San Francisco
Marten Mickos, HackerOne CEO, kicked off Security@ by acknowledging the fundamental shift currently taking place in the cybersecurity industry. There’s a movement, Marten said, to a new, better way of approaching security, and that new way is hacker-powered.
“There’s an old school of security that believes in technology and products and more walls and more locks, and they think that technology is the solution to our cybersecurity woes,” Marten said. “But there is a new world, where we realize that the solution is much easier and closer and more imminent and obvious and powerful.”
The reason cybersecurity is one of the biggest problems facing us today, Marten suggested, is that we rushed into technology. The internet was built for fun, Marten recalled, but in just a few decades, it was transformed into a system that connects nearly everyone and every system, for better or worse.
There’s an enormous asymmetry in the world of cybersecurity, and it scares us all, Marten said. It’s why we continue to buy more firewalls, more antivirus software, and more of the solutions that were designed during the client-server era. In today’s world, however, those products don’t work as well. Instead, the best solution today is to ask for help from smart people, and that’s hacker-powered security.
Hacker-powered security is taking the collective intelligence, creativity, and diversity from the minds of everyone and pooling it to create a massively more capable defense, Marten said. By pooling the hacker community, “it’s possible to turn this asymmetry around.”
Marten went on to explain how HackerOne customers have fixed over 55,000 bugs found by white-hat hackers. And it is more than just tech companies leading the charge. Sure, there’s Salesforce and Snapchat, Uber and Dropbox, and more, but there are also traditional organizations with a progressive, security-aware approach. Companies like General Motors, Starbucks, and Lufthansa are using HackerOne to improve their security, and so is the U.S. Department of Defense.
Watch Marten’s ten-minute talk here to Security@ is not just the name of the conference; it’s where hacker-powered security begins, Marten explained. It’s your security inbox, where experts on the outside can communicate with your experts on the inside. You facilitate that by publishing a vulnerability disclosure policy, starting a bug bounty program, and crowd-sourcing your pen testing programs. Bringing those outside experts into your security apparatus is what HackerOne does, and does well.
The results and reception of hacker-powered security show that the industry is shifting, for sure. But the cybersecurity situation can only get worse, even when every new breach seems like the next one can’t possibly be worse, Marten said.
“The good news is that, although we’re still heading down and it’s getting worse by the minute, we’re already seeing the solutions that can help us,” said Marten. “We’re already seeing methods that can make us more secure, quickly. And the most powerful is to invite experts on the outside to tell you what’s wrong…to make you more secure. We have the solutions, they work quickly, and they make you more secure.”
However, while hacker-powered security can help you close the door on the bad actors, locking the door is ultimately up to you, Marten concluded.
“There’s one thing you have to do yourself: you must fix the bugs. If you don’t fix the bugs, you won’t be secure.”
Watch Marten’s presentation and all the talks from Security@ 2017 now.