Interviews | February 8, 2019

App Sec Market Moving Towards Fully Automated Continuous Testing Tools: HackerOne, Recorded Future, Synopsys

Scott McCormick
Head of Compliance


Q1. You joined HackerOne very recently. Please describe for us your role as head of compliance there. How does it fit in with the overall HackerOne mission?

HackerOne's mission is to empower the world to build a safer Internet. In my role leading HackerOne's Governance, Risk and Compliance program, I work towards this by promoting hacker-powered security to meet regulatory and compliance requirements in countries around the world so that companies can access the hundreds of thousands of hackers fighting for our mission. One of our company values at HackerOne "Together we hit harder" goes for HackerOne internally as well as our community of hackers and our customers.

With GDPR sparking conversations about regulation, data ethics, and who has the right to what information online, organizations are forced to develop a relationship with security that satisfies auditors, but doesn't disrupt product deployment and business growth. It's my job to ensure that we can develop vulnerability disclosure (ISO 29147) and bug bounty programs for our customers that prioritize building trust with customers and collaboration between hackers, developers, and external auditors to improve security posture and grow businesses.

Q2. What are some of the biggest trends you are seeing in the bug bounty space in terms of the bugs being discovered, the people discovering them, the payouts that are being made etc.?

I'm seeing quite a few trends come to head in the new year as companies, governments and consumers alike begin to realize that it's no longer if bad actors will try to hack them, but when.

For consumers, trust and responsibility will be a rising trend. The global cost of cybercrime reached as much as $600 billion according to a February 2018 report, and in the US alone 16.7 million individuals were impacted by identity theft in 2017. With the vast troves of personally identifiable information being updated and uploaded to countless databases for every ad clicked, every photo posted, and every time a credit card is swiped, it's becoming increasingly vital that people feel confident that their information is protected. Consumers and companies alike want to trust those who hold their information and know someone will take responsibility if something goes awry.

In practice, as consumers and companies are taking security more seriously, we can expect to see bounty payouts increase to record highs — hackers will begin to make record amounts and companies will be posting higher bounties to compete for top hacker talent. In terms of who will be discovering them, every day 600 new hackers sign up for HackerOne around the world, the majority of which are self-taught. It's these self-taught, innovative and creative hackers that are increasingly proving they know how to think like bad actors and are finding vulnerabilities in some of the most sensitive assets.

Q3. What do you want attendees at Black Hat Asia 2019 to know about HackerOne and its services?

As the undisputed leader in hacker-powered security, Fortune 500 companies including Toyota, Alibaba, Hyatt and Goldman Sachs publicly launched programs on HackerOne in 2018. Ministry of Defence Singapore, Nintendo and Panasonic Avionics and over 1,300 other organizations have partnered with HackerOne to find over 100,000 vulnerabilities and award over $43M in bug bounties. HackerOne is headquartered in San Francisco with offices in Singapore, London, New York, Washington D.C. and the Netherlands. For more on how to start a program with HackerOne, contact us here, register to begin hacking today here, or start learning to hack for free here.

Gavin Reid
Chief Security Architect & Leader of Threat Research

Recorded Future

Q1. What do you see as some of the biggest trends in the threat intelligence space from a tools and capabilities standpoint? What resources are becoming available that allows enterprise organizations to understand and consume threat intelligence more easily?

Threat intelligence customers want data about threats that is as complete as possible, contextually relevant to their business, and automated into their workflows. They want to understand how to truly measure risk and evaluate the potential threat landscape for their organization - whether or not that risk is from direct or indirect threats.

With simple indicators, like a file hash, threat intelligence data can be pretty easy to deliver – and it's a one size fits all model. With actors and techniques, however, there could be massive amounts of data, and our customers rely on us to give them the information that is most relevant and timely to their needs – with the ability to have all the relevant data at hand if they need to drill into specific areas. As well as being the definitive source for threat intelligence our customers also expect to be able to enhance data in whatever security tools they are using. Contextualizing everywhere and anywhere is especially crucial as most organizations have multiple security tools with raw data that can hugely benefit from such enhancement. Blending threat intelligence directly into the security operations team workflows helps embed the usefulness of the intelligence into the existing processes leading to better and quicker results. Almost all of these tools have capabilities to bring in external data. Good intelligence vendors have robust programmatic interfaces allowing their data to be accessible in any way needed — not just through one solution.

Q2. Recent studies have shown that the threat intelligence market will register a 19% compound annual growth rate through at least 2022. What kind of interest are you seeing in Asia for these services, and from whom? How do you see the market trending in the short term?

Recorded Future is seeing very strong and growing interest in threat intelligence across ASEAN, India, Korea, Japan, and Australia. As we saw in the US, financial service customers and government organizations are the first two verticals to start adopting a threat intelligence mindset, but there has also been growing interest from cybersecurity service providers. We're seeing these organizations recognize the importance of threat intelligence – and the value it can deliver – so they're establishing threat intelligence practices as part of their portfolios. India and Japan seem to be leading the charge right now. Taking a step back, though, the market still seems to be in learning stage – we see most organizations just now exploring threat intelligence as a critical security component. Security teams are starting to fully understand the capabilities and use cases. In the short term, we're focusing on how threat intelligence can be used to help organizations reduce digital risk. As we look further down the road, we'll start addressing how threat intelligence can impact additional security functions more directly.

Q3. What do you want attendees at Black Hat Asia 2019 to know about Recorded Future's strategy and plans over the next few years? Why is it important for your company to be at the event?

Recorded Future helps to identify threats to organizations 10 times faster with a 32 percent cost reduction by providing centralization, collaboration, and customization of intelligence. The company provides unprecedented analysis of the most comprehensive set of open and closed feeds, internal risk lists, and internally generated analyst notes — all in one view. Its services garnered Recorded Future a perfect five-star review from SC Magazine in September 2018. The reviewers found zero weaknesses, applauded Recorded Future's new tailored browser plugin as "a great addition to an already strong solution," and in their final verdict stated that, "this product is one of the best we looked at this month… This is a must-have in your organization."

At Recorded Future, we believe, the industry is at an incredibly interesting inflection point for threat intelligence technology and the application of that intelligence throughout organizations' security programs. Broadly, across the industry, threat intelligence technology has developed tremendously over the last five years or so – going from static feeds to dynamic platforms with ecosystems of partners across security functions. It's this rapid market development that's made adoption in the ASEAN market so compelling – they're being presented with offerings that have undergone significant transformation and maturation.

Rather than just looking at threats, however, Recorded Future is working to help organizations deeply understand their potential risk landscape – and helping security professionals of all ability and funding levels make decisions quickly and confidently.

Geok Cheng Tan
Managing Director, Asia Pacific


Q1. What are the requirements for static application security testing in today's development environment? What questions should you be asking in evaluating SAST tools?

Static Application Security Testing (SAST) is one of the most popular techniques for detecting security vulnerabilities in web apps and other software, and there are several reasons organizations are embracing SAST as part of their development process. First and foremost, SAST can be used in the early stages of the software development life cycle (SDLC) when vulnerabilities are cheaper to remediate. Second, it's relatively easy to use and it provides detailed results, such as the specific lines of code that contain the vulnerabilities. Lastly, SAST can be automated and integrated seamlessly into development workflows so you don't have to halt operations and spend extra cycles running security tests.

When evaluating SAST vendors, the question you need to ask up front is, does this solution support the programming languages and frameworks you use to build your applications? SAST technology analyzes source code, so it needs to be able to understand or interpret a given programming language in order to find vulnerabilities written in it. Some vendors specialize in SAST for just one or a few of programming languages, while others support a broad range of languages.

Another important factor to consider is if, and, how well, a SAST solution integrates with your other development tools. If you have adopted Agile or DevOps, this is particularly important because it enables your security testing activities to keep pace with your development velocity. Some SAST solutions have IDE plug-ins that developers can use to perform SAST locally on their desktops, enabling them to find and fix problems before they even check in their code. This can save considerable time and money down the road. SAST solutions should also integrate with continuous integration (CI) tools via plug-in or APIs so that scans can be triggered as part of the automated build process.

Lastly, the accuracy of your SAST solution is paramount. If your SAST solution doesn't effectively detect all critical vulnerabilities in your code, you leaving your organization at risk of a cyberattack or data breach. Conversely, if your SAST solution produces a lot of false positives, meaning it flags issues that aren't real vulnerabilities, you end up wasting resources investigating non-issues and your development organization will ultimately reject or circumvent the tool.

Q2. What are the biggest technical challenges in securing customer-facing web applications given the emphasis on speed in software delivery these days?

One of the biggest challenges organizations face in securing their customer-facing web applications today is the rapid, continuous pace of modern software development and delivery. Development paradigms like Agile, DevOps, and CI/CD are becoming mainstream, and application delivery cadences have warped from quarterly or monthly releases to, in some cases, dozens of code changes per day. In theory, one small code change—a single line of code--could be the difference between a secure application and a massive data breach. With application code bases in constant flux, this evolution has really turned application security into a moving target. In response, application security technologies and best practices have had to evolve too. The AppSec market is moving towards fully automated, continuous security testing solutions, technologies that automatically prioritize the most critical vulnerabilities, and tools that perform incremental scans based on changes to a code base.

Another side effect of modern software development is the widespread use of vulnerable open source software components. Open source software itself is not a security problem, but the use of outdated, insecure open source components or the failure to patch them when new vulnerabilities are disclosed has left many organizations exposed. With modern applications comprising of more open source than proprietary code, and with 15 to 20 unique open source vulnerabilities being discovered each day, managing open source security has become a major challenge. Software composition analysis, an application security testing technology that automatically identifies and tracks vulnerable open source components, is quickly gaining traction with organizations seeking to proactively address this challenge.

Q3. What does Synopsys plan to highlight, or focus on, at Black Hat Asia 2019 and why?

At Black Hat Asia 2019, Synopsys will be showcasing our portfolio of industry-leading tools and services designed to help organizations build secure, high quality software faster. Our solutions include static application security testing, software composition analysis, and dynamic application security testing, which enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior.

We will also be unveiling our new application security testing platform that unifies our tools and services into a centralized management and reporting console. Organizations need to employ a combination of security testing techniques at various stages within the SDLC to secure their applications against evolving threats, but they also need to do so in an efficient and effective manner that is conducive to agility and innovation. Over the past several years, we have successfully developed a portfolio of differentiated products and services that address most organizations security testing gaps, and now we're delivering on the promise to drive efficiencies and synergies across these solutions. The new platform represents an important step forward in unifying our Software Integrity portfolio into an offering that is more valuable than the sum of its parts.

Sustaining Partners