Workflow Integration

Code security tools need to be accessible in the toolkit developers already use and in the workflows they already know. Git pull/merge requests, the standard for peer review validation, were the ideal areas to introduce the interface. Here, every way a user can access and interact with the platform is end-to-end native. If an engineer has experience with peer code review, they already know how to use it.

The experience is consistent across code repository providers - whether cloud-hosted or on-premise. It works just as well for a cloud-hosted GitHub repository as it does for a self-hosted Azure DevOps repository.

Validation for Deterministic Warnings

Noise from security scanners fosters a distrust-by-default relationship and leads to over-scrutinization of true positives. To rebuild developer trust, scanners need to be consistently right.

Knowing this, we built a Code Security Engine combining some of the best scanning tools (SAST, SCA, IaC, Secrets) working in tandem with a Context Engine - leveraging AI to assess the relevance and accuracy of their outputs - to enumerate and prioritize warnings for HITL validation. 

After validation, all findings are presented with remediation guidance from an experienced engineer who manually reviewed them, so they’re surfaced with contextual understanding, prescriptive next steps, and an actual person who can help.

This multi-layered filtering ensures the controls that interact with developers activate only when it’s important, actionable, and with remediation support.

Validation for Non-Deterministic Risks

In parallel, to catch flaws at greater architectural depths, our Hai Hotspots model traverses the changes and repositories. Designed to mimic how a human engineer would navigate a codebase for security flaws, it poses unexpected scenarios with risk implications and then analyzes reachability with indexing techniques that use symbol definitions and references to learn implementation.

The power of this technology is its non-deterministic output - which is weakly actionable if sent to a developer tasked with remediation, but highly actionable for review and investigation.

This is where HITL validation is critical—the output is meticulously reviewed manually by an expert within the context of the entire codebase and with a powerful set of tools. If confirmed, it’s sent to developers in the form of actionable next steps.

Feedback Loops That Listen and Learn

What if a security risk can’t be confirmed with 100% confidence? Are there multiple approaches to remediation?

HITL validation introduces an expert qualified for these discussions. This is what pull/merge requests are for. Experts are assigned to proposed changes for the remainder of the pull/merge request lifecycle so anything learned from discussions is retained—creating a smart, adaptive exception management process without slowing developers down.

The Human-in-the-loop Experience

Our most advanced web application is one our customers never need to see: the platform where our network of experts analyze engine outputs and manually review code.

When a threshold of risk is detected, output is populated in a specialized first-of-its-kind code review platform with the familiarity of an integrated development environment (IDE) to conduct validation. 

A lot needs to be known quickly. Analysis of the code is visually sequenced based on priority focus areas with cognitive load awareness. They know what was changed and why and access areas unchanged to gain full context.

What Does it Look Like?

When proposed changes are analyzed and determined not to contain security risks, developers are informed quickly in built-in pipeline checks—usually completing within 2 minutes.

When changes contain possible security risks that need review, they’re triaged for non-blocking human expert review. Validation is usually completed within 90 minutes.

Conclusion

Security controls that interface directly with developers need to understand how developers work. They need to be actionable, non-blocking, and include remediation as part of the solution. HackerOne PullRequest makes this possible because of all that happens behind the scenes. By combining human expertise with thoughtfully deployed AI models and agents, the platform can learn context, provide feedback, filter SAST and SCA warnings, find vulnerabilities, and help developers fix them all within the workflows they already use and without sacrificing velocity.

Our mission to create a solution to mend the rift between security and development with AI began in 2022. We prioritized a human-in-the-loop (HITL) validation methodology based not just on our commitment to responsible use of models, but on a thesis that reducing the methodology to binary categorization is a misuse of its potential. A human expert can confirm output as “right” or “wrong,” and then enrich output that’s “right” to be smarter and actionable.

We were right. When these principles are applied, application security controls can not only be compatible with development, but loved by developers.

Pentest reports are a requirement for many security compliance certifications (such as GDPR and HIPAA), and having regular pentest reports on hand can also signal to high-value customers that you care about the security of your mobile applications, boosting customer trust and brand loyalty.

In this blog, we’ll cover some of the most important aspects of pentesting for iOS mobile applications. Jump to a topic using the links below:

• iOS Testing Methodologies
• Common iOS Vulnerabilities
• iOS Pentesting Best Practices
• Case Study: Doorbell Camera App Leaks User Location

iOS Testing Methodologies

HackerOne's iOS testing methodologies are informed by established standards such as the PTES, OWASP Mobile Top 10, and the OWASP Mobile Application Security Testing Guide (MASTG). Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various application types, including mobile applications.

Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

• Consultations with both internal and external industry experts.
• Leveraging and adhering to recognized industry standards.
• Incorporating feedback and insights from our pentesters, who bring valuable experience from their full-time roles outside of HackerOne, enabling us to deliver highly technical, in-depth testing.
• Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
• Detailed analysis of millions of vulnerability reports we receive through our platform (see the Hacktivity page for details).

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common iOS Vulnerabilities

Improper Credential Usage

Improper credential usage is very common in mobile applications, particularly those with backend APIs or databases that require authentication. This often results in credentials being hardcoded within the application. Improper credential usage also includes the insecure transmission of authentication materials, such as the lack of TLS encryption during transit, and the insecure storage of user credentials, such as failing to use the iOS sandbox model to secure data access against other apps.

For example, hardcoded API keys like AWS access keys or Google Maps API keys can be easily extracted from the application package. An attacker who obtains these keys could interact with backend services, potentially exposing sensitive data about other users, initiating unauthorized transactions, or even compromising the organization’s cloud infrastructure. If an AWS key is exposed, the attacker could gain access to cloud resources, modify configurations, or extract critical data, leading to significant financial and reputational damage.

Additionally, some applications store sensitive information, like OAuth tokens or user credentials, in insecure storage areas such as plain text files or unprotected databases. Mobile malware can exploit these weaknesses to harvest credentials, allowing attackers to impersonate users or gain unauthorized access to private information, leading to data breaches or identity theft.

Testing for improper credential usage is straightforward and typically involves scanning extracted application files for secrets, analyzing the source code for where credentials are transmitted or stored, and checking for the use of secure channels like TLS. This vulnerability is particularly prevalent in untested applications, where significant credential misuse is often uncovered during the first test. The discovery of hardcoded credentials, insecure storage practices, and unencrypted transmission underscores the critical importance of regular pentesting for mobile applications.

Insecure Authentication or Authorization

Mobile applications often serve as a front end for APIs and web services, making insecure authentication or authorization issues prevalent. If a mobile app acts as an authorized agent to query backend data without proper security, an attacker could mimic this interaction to access sensitive data or execute actions anonymously. This risk increases when the associated API is also in scope, as vulnerabilities in the API can directly affect the mobile app's security.

Third-party authentication mechanisms, like signing in with Apple ID or social media accounts, introduce additional attack surfaces, particularly in account creation and recovery flows. For example, flaws in OAuth implementation or token validation could allow unauthorized access.

Mobile apps may also include local authentication methods, such as user-specified PINs or passwords. Vulnerabilities in-app logic or misuse of iOS native APIs could lead to bypassing these protections. Ensuring both local and remote access controls are tested and secured is crucial.

Inadequate Privacy Controls

Getting privacy rights is important, but even more so on mobile applications, as mobile devices contain a lot of Personally Identifiable Information (PII). Operating systems like iOS place a strong emphasis on privacy, constantly updating their controls to ensure that data access is granted only with explicit user consent. If your application isn’t tested for compliance with legal privacy regulations like GDPR, CCPA, or emerging laws such as India’s Digital Personal Data Protection Act (DPDPA), it could face regulatory penalties or struggle to access the data necessary for its functionality.

Inadequate privacy controls can also intersect with other vulnerabilities, such as insecure authentication or authorization, or improper storage of credentials. For example, if broken access controls in the backend API allow a user to access another user’s sensitive data, or if sensitive data is improperly cached on the device, it could lead to a serious data breach. Such incidents not only violate privacy regulations but can also severely damage an organization’s reputation.

We've seen reports of specific privacy-impacting vulnerabilities, including improper handling of OAuth tokens, lack of encryption for sensitive data stored on devices, and insufficient user consent mechanisms for accessing personal data. Addressing privacy control issues requires expert knowledge of mobile operating systems, application data handling, privacy policies, and relevant regulatory frameworks. Testing for these issues is crucial to ensure compliance and protect user data.

iOS Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is done. Modern iOS applications can be complex, with various features, frameworks, APIs, and integrations.

With limited time and resources for each pentest, selecting critical targets within the iOS application can make the difference between a low-value report and a successful pentest with high-impact findings. For instance, focusing on testing complex authentication mechanisms, data storage, inter-app communication, and the APIs that the iOS app interfaces with can yield more significant results than testing superficial UI elements. HackerOne evaluates your assets to accurately determine the needed pentest size and provides a customized quote tailored to your specific pentest requirements.

Read the Pre-Pentest Checklist Series Part 1 and Part 2 to address crucial questions before your next pentest.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, iOS pentesting requires specialized knowledge of iOS architecture, Swift/Objective-C coding, and mobile security practices, which many firms lack.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience. The HackerOne platform keeps track of each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the types of assets and technology stacks of your mobile applications.  

Case Study: Doorbell Camera App Leaks User Location

Amazon's Ring Neighbours app allows users to publicly share Ring camera feeds online. In 2021, the organization had a data breach that leaked the precise location and home address of its users. Although the precise location was not visible in the application, the underlying API responses of the users' posts leaked the longitude, latitude and home addresses of users who posted through the app. Even though not all posts were displayed to the user, the ID number of each post was incremental — meaning that an attacker could query the same API for all existing posts by changing the post number, and get more sensitive data. At the time, there were about 4 million posts in total - that's a lot of home addresses.

Inspecting and manipulating API requests is often the first or second step taken in a mobile application pentest, meaning that given a thorough pentest of this mobile application, the vulnerability would've easily been found and the data breach avoided. Privacy issues like these have been found and disclosed on HackerOne's programs, such as when Nextcloud's mobile application leaked file search records to the server during a local search, or the lack of anonymization of analytics data on the Nord VPN app. 

Both of those reports demonstrated that the researcher had an in-depth understanding of the application's data and privacy model, and hackers like them will be pentesting iOS applications for your organization.

Why HackerOne is the Best Option for iOS Pentests

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient. 

Our community of iOS experts brings deep knowledge of Apple's ecosystem, Swift, Objective-C, and the iOS platform, providing comprehensive coverage of OWASP Mobile Top 10 risks and additional concerns like app extension vulnerabilities and iCloud data syncing issues. Utilizing advanced tools such as Frida and Objection, manual testing techniques, and custom scripts, HackerOne Pentests simulate real-world attack scenarios going beyond automated scans. 

HackerOne's pentest reports help executives and cybersecurity engineers harden iOS apps against breaches that could lead to fines or penalties under GDPR and CCPA. Our iOS pentests offer critical protection in an evolving threat landscape by providing guidance on implementing Apple's latest security features. With the rapid setup, effective assessments, and prompt retesting, HackerOne supports organizations in reducing breach risks and helping fulfill compliance.

With the right blend of crowdsourced security, technical expertise, and technology, HackerOne is the ideal choice for your iOS mobile application pentests. To learn more or get started on your first pentest with HackerOne, contact our team of experts today.

From private messaging to mobile banking, billions of people around the world rely on iOS applications to provide real-time access to services while protecting their most sensitive data — data highly sought after by attackers. To safeguard these applications, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities in your mobile applications and quickly remediating them to reduce risk.

Click the image to download the Visual Guide to Bug Bounty Success

START HERE

SETUP

Hone Your Vulnerability Management and Scoring Process

Finetune your vulnerability management process, which scoring system you use, and document how bug bounty reports fit in.

Learn about severity scoring >

Prepare Your Support Team

Your Bug Bounty Leader should determine your on-duty support rotation and sort out your triage team for the most efficient remediation.

Learn about HackerOne triage >

Assess Your Budget

Use bounty benchmarking data to secure the appropriate budget, price bounties effectively, and manage your budget efficiently.

How to set an efficient bug bounty budget >

Communicate Your Response Targets

Set expectations for hackers on your security page for bounty payments by severity, time to triage, time to bounty, and time to remediation. 

Update Your Security Page

The “front door” for hackers to any bug bounty program is the security page. Be transparent about what policies, scopes, and standards hackers should expect from your program. 

See security page best practices >

Champion Internally

Security leaders can showcase the value of a robust bug bounty program by emphasizing the ROI of staying secure in comparison to the cost of a breach.

How customers secure bug bounty buy-in >

OPERATE

Refine Your Scope

As new assets are deployed or updated (e.g. websites, IoT devices, Mobile apps), refine your bug bounty scope for timely and continuous testing based on your industry and security goals.

Get the Right Hackers

Invite the right number and skillsets of hackers to your private program — and call in the HackerOne Triage experts to help with incoming reports. 

How customers get the best hacker results >

Reward Your Hackers

Set your payment scale according to appropriate severity standards, and HackerOne facilitates the entire transaction for bounty payouts.  

How customers get the best hacker results >

Measure Success

Bug bounty success is different for every program and organization, but by setting clear KPIs and sticking to them, you can effectively measure the success of your program and present the ROI to stakeholders.

How customers measure bug bounty ROI >

EVALUATE

Scale Your program

More hackers + more scope + increased bounties = bigger, badder bugs. Work with HackerOne to determine the right time to add more assets into scope or take your private bug bounty program public.

Mercado Libre’s journey to a public program >

Be Creative and Test

Make your bug bounty program exciting for researchers by participating in live hacking events, gamifying vulnerability discoveries, or matching bounty donations to charity. 

How GitHub kept hackers engaged for 10 years of bug bounty >

While bug bounty success looks different for every program and organization, there are a number of key steps in planning, operating, and evaluating your program that will help ensure you achieve your security goals.

Pentest reports are a requirement for many security compliance certifications (such as ISO 27001 and SOC 2), and having regular pentest reports on hand can also signal to high-value customers that you care about the security of your web applications, boosting customer trust and brand loyalty.

Jump to a topic using the links below:

• Testing Methodologies

• Common Vulnerabilities

• Best Practices

• Case Study: The Easily Avoidable IDOR

Testing Methodologies

HackerOne's testing methodologies are grounded in the principles of the OWASP Top 10, Penetration Testing Execution Standard (PTES), Open Source Security Testing Methodology (OSSTM), Council for Registered Ethical Security Testers (CREST) and can be tailored to various assessment types including web applications.

Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

• Consultations with both internal and external industry experts.
• Leveraging and adhering to recognized industry standards.
• Gleaning insights from a vast array of global customer programs, spanning both time-bound and continuous engagements.
• Detailed analysis of millions of vulnerability reports we receive through our platform (see the Hacktivity page for details).

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common Vulnerabilities

Injection

Injection is a wide category of vulnerabilities, which refers to user input data not being properly validated, sanitized, or filtered by the web application before use. Most common injection vulnerabilities include Cross-Site Scripting (XSS), SQL injection, OS Command Injection, and Server Side Template Injection. Injection bugs have severe impacts since they often enable attackers to access sensitive data, execute arbitrary code, or steal private information from authenticated users.

Testing for this type of vulnerability involves a mixture of automated and manual testing of all user-controlled input parameters, such as form submissions, cookies, URL parameters, as well as XML and JSON-encoded user inputs.

Broken Access Control

Broken access control is the current top-runner in OWASP Top 10. It refers to a variety of access control issues in the web application's business and access control logic, where a user can access data they are not authorized to. Popular examples of broken access control include IDOR (Insecure Direct Object Referencing), privilege escalation, path traversal, and open redirects.

Testing for broken access control requires a careful examination of business logic, analysis of various access levels, and cross-tenant issues in a web application, in combination with powerful automated tools that check for auth issues in each request, such as PortSwigger autorize.

Authentication and authorization are hard to get right, hence the importance of pentests. Our community of ethical hackers is well-versed in testing for access control issues; in fact, it's the second most frequent type of bug found in HackerOne's bug bounty programs.

Information Disclosure

Information disclosure often occurs as a consequence of other vulnerabilities, but it can also happen on its own. From misconfigured cloud services (such as AWS S3 buckets and Google Firebase) down to memory issues (such as buffer overreads in edge devices), data leaks can occur anywhere. Failure to implement or enforce access control in REST and GraphQL APIs is another common source of information disclosure, where users can request data belonging to any other entity in the database.

Depending on the sensitivity of the disclosed data, it could be leveraged to perform other attacks (such as CSRF tokens, API keys, and disclosed paths in verbose error messages), or it could create direct business impact and have regulatory implications (such as leaked Personal Identifiable / Health Information).

Vulnerable Components

The supply chain of web application libraries is increasingly complex, involving thousands of frontend and backend components to support the needs of an application. It's challenging to keep them all patched and working well with each other, which is why using components with known vulnerabilities is a common finding in pentests. Depending on the vulnerability and how the component is used (either directly or as a transitive dependency), it can have serious impacts, ranging from XSS and denial of service to remote code execution.

Testing for vulnerable components, especially finding higher-impact vulnerabilities in backend code is much easier with white-box testing and gray-box testing setups, where the source code and SBOM (Software Bill Of Materials) are provided to pentesters. 

Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest — what is being tested can be just as important as how it is being tested. Modern web applications can be complex beasts with many different features, subdomains, APIs, and so on. 

Effective pentesting hinges on the strategic selection of targets within the web application. Choosing the right focus can mean the difference between an inconsequential report with few findings (such as testing the frontend form components after a 'UI Refresh') and a valuable pentest uncovering high-impact business issues (like examining critical and complex authentication and authorization logic). HackerOne assesses your assets to determine the optimal scope for your pentest and delivers a quote tailored to your specific requirements.

Read the Pre-Pentest Checklist Series Part 1 and Part 2 to address crucial questions before your next pentest.

Skills-Based Tester Matching

Most traditional consultancies and professional service providers rely on a static team of mixed-skilled in-house pentesters or long-term contractors,  who are rostered on and off for every test. These testers are often based on constrained availability within their busy schedules. The result is a mixed bag with inconsistent quality depending on who is doing the current engagement.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest quality results tailored to the types of assets and technology stacks of your web applications.

Retesting

After identifying and remedying a vulnerability, retesting is crucial to validate the effectiveness of the patch and ensure it is not bypassable. This is particularly vital for organizations with limited security expertise in their development teams. Our pentesters possess extensive experience in bypassing patches and filters even after vulnerabilities have been addressed with incomplete fixes, such as blocking specific payload strings in cases involving injection vulnerabilities. 

HackerOne offers retesting as part of the pentest, and requesting a retest for a vulnerability is as simple as a click of the button in the platform. Customers can request a retest at any point during the testing period and have an additional 60 days after the testing period ends.

Zero Trust Access

Providing restricted access to a testing environment, whether it be an internal application or a restricted sandbox, is always a tricky part of a pentest. For the testing of pre-release web application features, customers may wish to restrict access to the general public and only allow authorized testers into the environment. 

In traditional pentest offerings, this can be a major pain point for both the customer and the testers. Security teams within organizations may reluctantly adjust firewall rules, add additional VPN accounts, and grant access to virtual desktops, ironically compromising their environment’s security to facilitate testing. This has a big impact on pentester productivity, as slow network access and cumbersome configurations quickly drain energy and focus.

HackerOne's Gateway V2 offers a Zero Trust tunnel using Cloudflare's WARP technology to connect pentesters in a secure and fast manner to the target assets, along with traditional IP allowlisting rules. It uses a WARP client installed on the tester's endpoints that authenticates their identity and device to the private network and allows customers to easily grant, revoke, and audit tester access to applications wherever they are in the world. The use of Zero Trust Network Access (ZTNA) for pentesting is a rare sight in traditional pentest offerings or even other PTaaS platforms and greatly enhances both network security and tester productivity during engagements.

Case Study: The Easily Avoidable IDOR

Insecure Direct Object Reference (IDOR) is a low-hanging vulnerability, but it can lead to the biggest impact: often the disclosure of all customer details just by making small changes to a predictable ID. This HackerOne report outlines an IDOR bug that could have led to the disclosure of all user email and phone numbers within a financial web application.

This bug looks a lot like the major Optus data breach in 2022, where roughly 10 million customers' PII (such as names, emails, and phone numbers) were stolen in a data breach. The financial impact of the breach was significant, with Optus setting aside AU$140 million (approximately $91.26 million USD) to cover the expected costs of the incident, including customer compensation and remediation efforts. This also resulted in severe legal implications, with an ongoing class action lawsuit against the company claiming that Optus breached consumer and telecommunications law and failed in its duty of care to protect users from harm. 

All that from a single IDOR vulnerability that could have been easily discovered and mitigated if a pentest had been conducted by expert web security researchers,  , such as those available in HackerOne's extensive talent pool.

By utilizing HackerOne's community-driven pentest for web applications, you can efficiently identify exploitable vulnerabilities such as the IDOR explained above within a matter of days, along with numerous other complex vulnerabilities, within our standard 14-day testing cycle.

Why HackerOne Is the Best Option for Web Pentests

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. This model leverages a combination of HackerOne security experts, who are skill-matched and vetted, working together with your teams to deliver the best overall ROI in risk reduction.

The HackerOne Platform simplifies the process of requesting a new pentest, onboarding new assets, and enlisting expert researchers in just a few days. Its purpose-built UI for reporting vulnerabilities and Zero Trust Access for fast, secure application access make web pentests more seamless and efficient.

With the right blend of people and technology, HackerOne is the ideal choice for your web application pentests. To get started pentesting web applications with HackerOne, contact us today.

Web applications are prime targets for cybercriminals across industries, from e-commerce to healthcare. To safeguard these critical assets, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities in your web assets and quickly remediating them to reduce risk.

HackerOne provides security capabilities for AWS customers looking to improve security in their cloud applications. These include vulnerability pentests specific to AWS environments, an AWS Security Hub integration for fast, effective security actions, and highly skilled, ethical hackers with AWS Security Specialty certified training. AWS customers can now identify and fix vulnerabilities quickly, develop a better understanding of their cloud application security profile, and access the expertise of AWS Certified hackers.

Improved Cloud Application Security for Your Organization

Protect Your AWS Environment with Targeted Pentesting

As part of the HackerOne Assessment offering, the new HackerOne Assessments: Application Pentest for AWS explicitly tailored for AWS-deployed applications. The pentest discovers risks specific to an organization’s AWS environment following a methodology using top HackerOne platform cloud vulnerabilities. This helps AWS customers prevent data leaks, subdomain takeovers, unauthorized access to applications, and more. Figure 1 below shows the checklist in HackerOne that specifies AWS-specific methodology parameters.

By combining a SaaS platform with a community of skilled, background-verified testers, teams can quickly start their pentests, gain insights to remediate risk faster, and mature their security programs. 

HackerOne Integrated With AWS Security Hub 

The new AWS Security Hub integration exchanges vulnerability findings between HackerOne and Security Hub, streamlining workflows to accelerate security actions. By consolidating and routing vulnerability intelligence from HackerOne to AWS Security Hub, the integration delivers greater visibility into crucial gaps that could lead to a cyberattack.

AWS customers can sync all HackerOne vulnerability findings and use AWS Security Hub as the single console for management and prioritization. They can also compare AWS Security Hub findings with those found by the HackerOne community to see duplicates, understand status, and plan remediation, as shown in Figure 2 below.

With consolidated vulnerability reports, unified findings for more informed responses, and faster time to remediation, AWS customers can improve application security. HackerOne’s AWS Security Hub integration means severe vulnerabilities are routed to the right people at the right time to increase security team efficiencies, improve reporting, and reduce application exploitation. 

A HackerOne Community of AWS-Certified Security Specialty Hackers

Your organization can work with highly skilled certified experts with specialized, proven expertise in vulnerabilities specific to your AWS cloud environment. You will extend your attack surface coverage and be able to address vulnerabilities from multiple threat angles, including cloud misconfigurations, unauthorized access, and data exposure. Instead of switching pentest vendors to find diverse testing expertise, you find it all in this talented community of certified hackers. Figure 3 below shows the official certification seal of a HackerOne AWS Certified Cloud Practitioner.

Organizations using AWS can now better protect their AWS environments against risk and attacks with highly skilled and certified hacker-powered security, more streamlined team workflows, and comprehensive and rapid vulnerability discovery and reporting.

If you’re a hacker interested in becoming a HackerOne Pentester, you can apply here to join our community. Perform pentests together with a team of other talented security research experts and grow your resume and expertise with opportunities like AWS Certification scholarships. 

How HackerOne Makes Your AWS Cloud Applications Safer

HackerOne’s all-in-one continuous security testing platform directly addresses the needs of organizations using AWS solutions. AWS customers now have access to highly skilled, AWS-certified hackers, AWS-specific pentests, and hacker-powered vulnerability insights to make their cloud applications less exploitable. Learn how to mitigate risk faster and improve your security profile, or get started by contacting HackerOne today.

As rapid digital transformation drives organizations towards AWS cloud solutions, attack surfaces expand, and cybercriminals find new opportunities to exploit cloud application vulnerabilities. Digital-native organizations and those migrating their applications to cloud must incorporate new approaches to their cloud security strategies.

The allure of generative AI and the importance of the basics.

While the advent of generative AI poses new challenges, it's important not to neglect the fundamentals. Implementing measures like MFA, phishing prevention, patching, and addressing misconfigurations should remain a focus. Grammarly has offered an AI-enabled product since before AI was a buzzword and has already launched its own generative AI product: GrammarlyGO. Many CISOs now have to think about how generative AI impacts cyber risk, but for companies that already live in the AI space, it has been easier to see through the buzz and stay true to their threat model.

• “Generative AI tools are new, but most of the existing fundamentals of cybersecurity haven’t changed. It can be easy to get distracted by the shiny thing, but an offensive security team should continue to do what they always do: finding issues in the core ways in which their systems are built and configured.” – Suha Can

Bug bounty helps validate - or invalidate - your security beliefs.

Are we really secure, or do we just feel secure because we’ve deployed controls? As a company’s security maturity increases, it becomes crucial to validate the effectiveness of security programs. This involves assessing factors such as time to remediation, continuous monitoring of security controls, and questioning assumptions. Grammarly views bug bounty as a systemic way to uncover flaws in its attack surface and a way to challenge its controls with unconventional testing methods.

• “Preemptive security is about working to disconfirm your beliefs. The first step is usually doing something like a pentest where you validate your security, but after that, you must start seeking invalidation of your controls. The underlying mantra is that by being humble and second-guessing yourself, you are actually able to be a much better guardian of customer data.” – Suha Can

Value to the board: “Seeing around corners.”

Building products securely requires asset inventory, cloud configuration scans, and static and dynamic analysis, but these measures alone are not sufficient. A combination of scalable and non-scalable security approaches is vital to ensure that all bases are covered and helps reassure your board of directors that you aren’t relying on any single control to keep your crown jewels safe. Grammarly works with HackerOne to catch what the scanners miss and to uncover blindspots in its attack surface - a mission that relies more on the creativity of hackers than on cutting-edge technology. 

• “The main value that I communicate to the board is that HackerOne helps us find out what we don't know and helps us see around corners. That resonates very well with the executive team at Grammarly. It’s not just that we fixed 15 new vulnerabilities this month; it’s typically a bigger conversation where I share anecdotes about how reports have led to more insights and investments.” – Suha Can

Value to the engineers: “Focus and prioritize.” 

Grammarly uses insights and trends from its bug bounty program and other preemptive security initiatives to focus its efforts. Grammarly’s security team conducts a weekly review of vulnerability reports from HackerOne and other preemptive security sources; it then initiates a deeper review of any assets or services with spikes in reports or the potential for variants of recent vulnerabilities. 

• “A vulnerability for a specific service may also apply to other services you have, or a slightly different attack on the same service could succeed. Those additional vulnerabilities aren’t in the report you receive from the hacker, but because you get that first report now you can investigate further and uncover any additional issues. This also leads to attack surface reduction and a ‘defense in depth’ style hardening across your systems.” – Suha Can

Measuring bug bounty program health.

Grammarly’s key indicator of bug bounty program health is the number of unique researchers submitting valid vulnerabilities every quarter. In a world where new bug bounty programs launch every day, maintaining hacker engagement is imperative. Grammarly’s HackerOne program has run for five years, and Grammarly keeps it fresh by adding new scope (like GrammarlyGO, Grammarly’s new generative AI product) and running promotions (like the $100k critical bounty that Grammarly debuted).

• “When I look at my board metrics, the main metric I convey to the board about the health of my bug bounty program is the number of unique researchers that have reported at least one vulnerability in a given quarter. The program is only as good as the engagement from researchers, and researchers can spend their time on any program.” – Suha Can

This conversation between Suha and Alex underscores the importance of a preemptive approach to cybersecurity. Embracing AI advancements while maintaining a strong foundation in fundamental security practices is paramount. At the same time, the power of bug bounty programs to validate (or invalidate) security measures by tapping into the perspective of an attacker is undeniable. As the cybersecurity landscape continues to evolve, we hope these insights provide guidance as you navigate this complex and ever-changing domain.

Suha Can, the CISO of Grammarly, recently joined HackerOne’s CTO & Co-founder, Alex Rice, for a discussion on user trust, the benefits of Grammarly’s bug bounty program, and the advantages of preemptive security measures. You can view the full webinar here, or read the highlights from their conversation here:

CyberEdge reports that the percentage of companies that experienced at least one successful cyberattack dropped again, following years of annual increases. Organizations reporting six or more significant attacks in the last year decreased for the first time in 12 years. These results have provided businesses with optimism for the management and security of their infrastructures in the future: the number of organizations concerned their employees may fall victim to a successful cyberattack also dropped for the first time in six years. But do these numbers correlate with organizations getting a better handle on cybersecurity risk? The report also cited a growing skills gap, fragmented security solutions, and expanding attack surfaces, which suggests otherwise.

Hybrid work, shadow IT, and the rapid transition to multiple cloud environments have significantly contributed to the expansion of the attack surface for many organizations. Rushed digital transformation has also furthered the proliferation of cyberattacks, during and after the pandemic. It appears that minor reductions in breach statistics and an overabundance of security tools may have given some organizations a false sense of safety.

Organizations Struggle To Manage Expanding Attack Surfaces

Various research shows a sizable attack resistance gap between what companies can protect and the assets they must defend. A recent HackerOne report found only 63% of organizations’ total attack surface was estimated to be resistant to attack, and 44% of cybersecurity professionals lacked confidence in their capacity to mitigate the dangers brought on by this visibility gap. Six main factors contribute to an organization's lack of confidence:

• Incomplete Knowledge: Attack surfaces constantly change due to the expanded supply chain, software, apps, and infrastructure. In fact, a third of large companies have trouble monitoring more than 25% of their attack surfaces.
• Testing Frequency is Not at Pace: Testing frequency is not keeping up with development cycles, which are moving more quickly than before. Delays in testing and upgrades let vulnerabilities slip through and become exploited.
• Scanners are limited: Vulnerabilities that follow known patterns are easy to find with automated scanning, but the real risk is the unknown threats that lead to critical application security issues. These critical vulnerabilities missed by scanners create a false sense of security.
• Automation is Still Falling Short: While many security tools promise a lot, automation has yet to live up to its promise of securing the enterprise. Automation can be fast at finding and defending known threats, but automation misses critical zero-day vulnerabilities, and that gap gets larger as one considers the additional challenge of continuously increasing attack surface complexity. It’s important to recognize that while automation offers advantages to security teams, it also offers similar advantages to cybercriminals. Bad actors already weaponize AI to exploit vulnerabilities quickly and at scale.

A Shortage of Skilled Personnel Is The Greatest Concern

A shortage of skilled personnel is the most significant impediment for security teams. Industry giants announcing personnel cutbacks of thousands or more have been widely reported in the media. As the cybersecurity skills gap widens, stress on internal teams has been exacerbated by a 26% increase since last year. CyberEdge notes seven in eight organizations (87%) are experiencing a shortfall of security talent, with IT security administrators in greatest demand.

While many businesses are laying off employees in departments like marketing, sales, product management, and human resources, the majority are keeping their security specialists on staff. However, there remains a lack of skilled personnel to keep up with the different threats and security specialties organizations require; 80% of firms are concerned that they do not have the skills to keep up with container and cloud-native development trends. In addition, most security teams are outnumbered by developers, making it difficult to keep up with the pace of change.

As the global cybersecurity workforce deficit of 3.4 million people continues to rise,the cybersecurity industry looks to develop new strategies and measures to help scale security teams.

The Board and the Bottom Line Dictate Security Investment 

Tech stack complexity and the security talent gap will likely lead companies to consolidate tools across security pillars, especially as the economy contracts. Companies will evaluate security budgets and make investment decisions based on the higher ROI that comes from a platform solution with well-integrated tools that share intelligence, to improve their outcomes. 

Human-powered security is necessary to combat the malicious creativity of cybercriminals, adept at circumventing cybersecurity defenses. The business impact of a breach is well documented, and the CyberEdge report reinforces the attention the board gives to avoiding one; nearly all (97%) surveyed organizations reported that their information security leaders engage board members directly. In other words, world-class cybersecurity is no longer ‘nice to have.’ It’s a ‘must-have’ for organizations to survive. 

Security continues to grow in both the public and the private sector. CyberEdge reports the average information security expenditure increased by 5.3% for organizations in 2023. The success of IT leadership in educating senior executives and board members about cybersecurity issues may also be reflected in increased spending. Organizations are compelled to actively contribute to stronger collective resilience as a result of the announcement of the new cybersecurity plan and greater expenditures.

As the attack landscape becomes more robust, organizations must remain attentive in their search for, and recruitment of, the displaced workers from those companies that have made cuts, as the threat landscape becomes stronger and the shortage of experienced IT security employees continues to diminish. Your organization could even consider providing cybersecurity training and certification as a recruitment tool. 

Notwithstanding the apparent optimism, cybersecurity experts must maintain their vigilance. We’re continually involved in a protracted, difficult process, but securing robust cyber defenses is the best course of action for our country, its infrastructure, the economy, and our shared futures.

I’d love to hear more about your challenges and plans to secure the coming year. Contact us to talk about how you manage your attack surfaces and what ethical hackers could do to your ability to scale your security efforts

Cyber attackers are increasingly well-resourced and elusive. Yet, CyberEdge's 2023 Cyberthreat Defense Report found IT and security professionals are feeling optimistic about their ability to handle cybersecurity risk.

1. Why are run-of-the-mill, traditional pentests not delivering effective results?

Time and time again, I speak to disappointed security practitioners who run one, or sometimes several, penetration tests with traditional suppliers. These engagements don’t suit their needs — from long lead times for scheduling, shallow results that don’t find the most critical flaws, and a final report delivered weeks later. 

This approach is increasingly unsuitable for many organizations as agile development practices have become the norm. Traditional pentesting often can’t mitigate risk in line with release cycles. Modern organizations have adopted continuous software releases, but The 2022 Attack Resistance Report found only 1 in 3 applications are tested and assessed more than once a year. A report delivered six weeks after the launch of a new beta system, which has seen hundreds of continuous releases since the testing window began, may be of limited use.

2. As my business undergoes digital transformation, how can continuous application security testing help maintain security visibility?

If you have fewer than four security personnel within your organization, you’re not alone. Of my first 100 conversations with start-up and scale-up companies, only one had a dedicated security team of five people or more. Whether your DevOps team is regularly spinning up Kubernetes clusters or your marketing team is creating microsites, it’s extremely difficult to maintain visibility and secure all your digital assets.

The majority of our customers reach out to me because they want help building stronger security teams and processes rather than the other way around. This tells me the demand is there for solutions like bug bounty programs and that utilizing a global talent pool of hackers is quickly becoming the norm for the forward-thinking security leaders of our time.

3. How does my security team maximize efficiency and productivity?

On average, HackerOne’s global team of analysts works around the clock to process 3,000 vulnerability reports per week. Some of our most active public customers receive between 100-200 valid vulnerability reports per quarter. This might sound like an overwhelming volume of information, but with the help of our highly-skilled professional triage team, we take the weight off the shoulders of your internal security teams and help them focus on fixing vulnerabilities, not validating them.

The majority of scale-up security leaders I speak with tell me this support saves valuable time on vulnerability management that is instead directed toward building their actual product. If time is money, developer time is gold. 

4. How do we utilize ethical hackers and monitor their access to our network?

While many cybersecurity leaders recognize the value of working with hackers before we’ve even begun a conversation, it is still common to see hesitation within organizations at large.

Legal and PR teams can balk at the idea of inviting hackers to test your defenses. However, even the most risk-averse organizations, including the DoD and Goldman Sachs, recognize that it’s more of a risk not to ask hackers to help. And hackers want to do good in the world. We’ve surveyed our hacker community for years to understand why they hack. The majority of hackers are pursuing job opportunities — 59% are looking to build skills and gain experience to advance their careers in cybersecurity. Forty-six percent want to help protect users and defend organizations against malicious attacks. Not only are hackers passionately motivated, but they also find vulnerabilities that traditional tools miss. 

However, for organizations that need the strictest control and guarantees, HackerOne provides a number of options: programs can limit access exclusively to our Clear hackers, who are fully security vetted and background checked. The HackerOne Gateway service provides numerous controls to maintain oversight of a hacker’s activity.

5. How do we integrate security earlier into our development lifecycle?

“Shifting Left” describes development practices and workflows designed to find and remove vulnerabilities earlier in the Software Development Lifecycle (SDLC). Everyone knows that finding vulnerabilities and bugs in code as early as possible saves money in developer time, customer impact, and avoiding service downtime.

But, despite the rising popularity of shifting left in cybersecurity, I still get questions about the need to find vulnerabilities in production-level systems if automated scanners can find them earlier.

Although you should absolutely implement good security scanners for your code to mitigate known types and classes of vulnerabilities, what scanners currently exist that can find complex, chained exploits at the human-layer logic of your business? Only human creativity can find novel vulnerabilities in your code. No training data can teach the best machine learning algorithms how to do this. See this publicly-disclosed exploitation a hacker found on Snapchat only earlier this year.

HackerOne: Your Security Testing Partner 

From my first 100 conversations with organizations about HackerOne, I have found that security leaders are increasingly open to adopting crowdsourced hacking services to help them enable business transformation for their organizations.  HackerOne’s Attack Resistance Platform lowers your organization’s threat exposure across its entire attack surface. Your bug bounty, Attack Surface Management, and Pentest as a Service (PTaaS) solutions are centralized under a single platform and enhanced by adversarial testing performed by hackers.  

Your organization is embracing transformation, but how much of your attack surface is exposed to cybercrime? Contact the team at HackerOne today to learn how your organization can become faster than cybercrime.

Every day, HackerOne Solutions Engineer Chris Campbell speaks to cybersecurity leaders who struggle to keep up with the threat landscape. Leaders look to him to connect them with the world’s most coveted and accomplished ethical hackers, who have found critical vulnerabilities in the world’s largest enterprises and most successful small/medium businesses.

In this post, Chris shares the most impactful and common questions from his first 100 conversations with security professionals and how your organization can maximize its security outcomes.

Our conversation with Ian Carroll (Staff Security Engineer at Robinhood) spans the history of bug bounty at Robinhood, Ian’s approach to bug bounty program management, and why the hacker experience is so important to him. Stick around for the end of this article where we interviewed Ashwarya Abishek, the top hacker on Robinhood’s program with over $100,000 in bounties earned! Ashwarya explains how he decided to become an ethical hacker and why he chose to hack Robinhood.

> Customer Q&A with Ian Carroll

Q: Tell us who you are. 

Ian: My name is Ian Carroll, and I'm a staff security engineer at Robinhood. I lead our bug bounty programs at Robinhood, and I'm also a member of our Red Team, where we work on finding and fixing security issues in Robinhood, much like a bug bounty researcher would.

Q: Tell us a bit about Robinhood and why cybersecurity is so important to your business. 

Ian: Robinhood is a trading app that allows our customers to trade stocks and cryptocurrencies, save and spend money with our spending account, and more. Safety First is Robinhood's primary company value, and protecting our customers and their assets is extremely important to us. It's our responsibility to ensure we are providing confidence and trust for our customers as they entrust us with safeguarding their money and investments.

Q: Tell us about your HackerOne journey. How has your program evolved over time? 

Ian: Robinhood has had a HackerOne Bounty program since 2016, nearly since Robinhood itself launched! Our CEO was actually still a member of our HackerOne team when I joined. Based on our early successes, we have increased our dedicated resources to grow the program further. In the past year, we expanded our program’s scope, launched two new private programs on HackerOne, and awarded more bounties over the past year than ever.

We’ve also improved our internal processes for handling submissions. Once validated, our Vulnerability Management team has built a stellar process for tracking and handling vulnerabilities coming from the bug bounty. Service owners can see all of the vulnerabilities for their service and the associated SLAs for every reported vulnerability. We also started using CVSS ranges to calculate bounty payments, which drive more consistent payouts and remediation in our program.

Q: What role does your bug bounty program play in your overall security landscape? 

Ian: Our bug bounty program is an important way for us to validate that the work we are doing to improve our security is working. Our Product Security and Enterprise Security teams create comprehensive mitigation plans based on findings from the bug bounty program and vulnerabilities from other programs such as pentests and red team engagements. These efforts result in a reduction in each type of issue. Similarly, findings from our bug bounty program often let us identify services or features that need extra attention from us so that we can further target penetration tests, additional code reviews, etc.

One key example of this has been around our acquisitions – we’ve been able to quickly add the assets of our new acquisitions into our HackerOne programs, and then we immediately start to get visibility into the specific risks each asset may have. The acquired companies also appreciate getting this new visibility, which allows us to build relationships with their teams while working together to remediate any reports.

Q: Tell us about your favorite bug or most interesting finding from your program. Any other surprising outcomes from the program?  

Ian: Some of our best reports have actually come from our own customers who create a HackerOne account just to submit a finding to our program! One really interesting report we recently received was from a customer using a particular smartphone where the biometric authentication wasn’t working correctly only on that specific model. We were able to find someone else on our team who had the same phone and reproduce the issue, but we would have never noticed this kind of issue ourselves! We quickly got a fix out and paid them their first bug bounty. Our customers have also helped us find complex issues in our trading flows that don’t look like normal security issues at all, but are highly impactful to our business.

Q: How do hackers help you spot vulnerability trends across your attack surface? 

Ian: I'm very happy with the scope of our bug bounty program, where we accept almost any security issue that could impact Robinhood, regardless of what technical asset has the problem. We also get a lot of interesting submissions about third-party vendor products and misconfigurations because we have all of our domains and applications in scope. In addition, we run private programs for our acquisitions to further strengthen those assets.

As a relatively younger company, casting this wide net helps us identify trends across everything we use. In the future, we’re working on creating and distributing reports to our other teams on security based on the Common Weakness Enumeration (CWE) trends, which will help teams easily identify the types of vulnerabilities we are seeing!

Q: Ian, along with being a customer, you also hack on the HackerOne platform. From experiencing both sides of the coin, what are some best practices for forming mutually beneficial relationships with hackers? 

Ian: It’s been very useful for me to have the perspective of both a researcher and a program manager. It gives a lot of insight into how both sides interact and what they expect and helps me focus on what I know researchers would appreciate the most. My first priorities with our program were to set up quick and consistent triage and awards to researchers, as I find this is a struggle for many programs.

We also try to be candid and transparent with hackers. In our private programs, where we have NDAs in place, we can often share source code snippets and other internal documentation to help the researcher understand the root cause of an issue or why the severity was set in a specific way. Additionally, when we can escalate an issue to be more severe than what a researcher reported, we always pay the researcher for the higher severity. We hope this builds a lot of trust and goodwill between both the researcher and Robinhood.

Q: What will long-term success look like for hacker-powered security at Robinhood?  

Ian: We aim to keep shifting left in the product development lifecycle and letting researchers find as many vulnerabilities across as many new and existing features as possible. We have been granting our VIP researchers access to new product releases before the general public has access, and we hope to continue doing this for the foreseeable future. Additionally, we’re working on test accounts so that researchers outside the United States can test our assets just as anyone else can.
 

> Hacker Q&A with @ashwarya

Q: Tell us who you are.

Ashwarya: Hi! My name is Ashwarya Abhishek. I’m from Delhi, India. I came from the financial field as an aspiring chartered accountant, but circumstances brought me to bug bounty, and I have been doing it full-time since 2020.

Q: How long have you been hacking/in the cybersecurity industry?

Ashwarya: I have been into bug bounty full-time since January 2020. I started doing bug bounty in 2014 as a part-time hobby when I discovered the HackerOne platform. Back then, I would read public reports and apply similar logic to different programs (Yahoo, Twitter, etc.). That approach got me a few bounties, but soon I got responses of ‘N/A’ and ‘Informative’ on all my reports, leaving me with terrible stats (<200 Reputation, negative Signal, <10 Impact). I soon realized that bug bounty was not for me, and I quit sometime around the beginning of 2016. I was only sending reports without understanding my findings, so those responses were bound to happen sooner or later. 

During 2018-2019 I was going through severe financial issues, and out of nowhere, I received a Private Invite from Exness to hack on their HackerOne bug bounty program. Out of curiosity, I opened the link and accepted the invitation. There were lots of things going on in my mind for the next two days as this invitation and the sudden recollection of HackerOne and bug bounty brought a ray of hope into my life.

On January 1, 2020, I decided to quit my day job and jump into bug bounty. The reason was straightforward: earnings from my day job - even if I saved for the next decade - would not help me get out of the financial issues I was going through, but there was a ray of hope from bug bounty.

Everyone who came to learn about my decision called it dangerous as I did not possess any cybersecurity degree or certification and had no training. Even my past HackerOne stats were screaming not to pursue the infosec route full-time. There was also no surety that I would be able to find enough bugs to earn close to my monthly salary.

Circumstances ultimately brought me to this path, and I do not regret my decision to quit my profession. I started from scratch, gradually learned, and I haven’t looked back since I started full-time in 2020.

Q: How long have you been hacking on Robinhood, and why did you choose to focus on Robinhood’s program?

Ashwarya: I started hacking on Robinhood on January 1, 2022. I hack on Robinhood primarily due to their response efficiency and decent bounties.

Q: What do you enjoy about hacking on Robinhood? What keeps you motivated to hack on this program? 

Ashwarya: I’m motivated by the wide scope of Robinhood’s program. It’s been a full year, and I believe I haven’t fully explored 50% of their endpoints, and getting access to the restricted services always excites me. In the beginning, I sensed that there were very few hackers who could have gone deeper with this program (due to restrictive access), so I thought there was a lot of potential for me and my 100% manual approach to hacking, and I wasn’t wrong with my judgment.

I also value Robinhood’s transparency during report evaluation, and their bounty pay-out upon triage keeps me motivated to continue digging around this program. 

Q: Without giving away scope that’s not already public, how do you approach the target? 

Ashwarya: Broadly speaking, my manual approach remains plain and simple.

1.  I manually check every single subdomain every few days to identify potential subdomain takeovers or application-level misconfigurations. It also helps me to identify any hidden subdomain apps where I need to dig deeper since there are higher chances you might end up with API keys or secrets in a .js file linked with these hidden apps.

2.  I manually visit every API endpoint repeatedly until I understand the flow and its intended purpose. Once I am familiar with the endpoints and flows, it is far easier to spot any weird behavior and potential changes/issues. Although this is a time-consuming task, it is the most important thing for me with any target, and it is worth the effort.

3.  I do not approach a target with any specific issues in mind. Instead, my approach relies purely upon the logic in the target process flows.

Q: If someone was new to this program, what advice would you give them?

Ashwarya: Try familiarizing yourself with the flows first (API routes, etc.). Robinhood’s scope is very wide (there are 1,000+ API endpoints in the primary target itself), and there is a good chance you will catch issues if you are familiar with how things work here. But if you solely rely on automation (public tools), chances are pretty high that you will end up disappointed. 

Seven years of bug bounty, 21-hour average time to bounty, 130 hackers thanked, and hackers on both sides of the program: Robinhood’s Ian Carroll joins us to discuss his hacker-focused approach to bug bounty, and Robinhood’s top hacker @ashwarya chimes in with his experience.

Why is ASM Important?

Your attack surface is the sum of all entry points an attacker could use to access your systems, applications, devices, or network. For most organizations, it’s a complex web of Internet-facing hardware and software assets, including any open ports and services, logic systems, and unmitigated vulnerabilities.

The larger your attack surface, the more opportunities an attacker has to gain entry. Today, attack surfaces are overwhelmingly larger than even a decade ago, and IT and security are scrambling to stay on top. This is why ASM is so important.

ASM is the continuous discovery, inventory, analysis, and remediation of all components within an organization’s attack surface. This means maintaining a complete and current picture of all externally accessible digital assets, including hardware, web properties, IP addresses, systems, and services. It also requires continuous monitoring and analysis of all assets to identify and remediate vulnerabilities and configuration issues that attackers could exploit.

The Attack Resistance Gap

Effective ASM is among the top security challenges for organizations today.

HackerOne surveyed over 800 respondents from various industries, organization sizes, and locations. A third of respondents from large enterprises said at least 25% of their attack surface is unknown, while almost 20% believe over half is unknown.

Based on these figures, a typical enterprise’s attack surface could contain thousands of unknown, unprotected digital assets. These unprotected assets form a large part of the attack resistance gap—the portion of an organization’s attack surface that is not ready to resist attack. Collectively, respondents said just 63% of their attack surface is prepared to resist attack, leaving an attack resistance gap of 37%.

Why ASM Alone Can’t Solve the Problem

ASM solutions continuously monitor the attack surface to discover, inventory, and assess the security profile of externally-facing assets. Once discovered, identified assets are added to a single repository, through which an organization can track its attack surface. Typically, asset entries are enriched with a range of information, technical details, network and Internet identifiers, weaknesses (e.g., open ports or known vulnerabilities), and an estimated risk score.

These technologies are an essential part of any ASM program. They enable an organization to close the attack resistance gap and prioritize security resources to address high-risk issues. ASM can also help organizations achieve a variety of other security and business objectives, including:

• Identifying exposed development infrastructure.
• Securing APIs.
• Supporting M&A activities.
• Ensuring compliance with data protection regulations, e.g., GDPR.

However, ASM alone isn't enough to stay on top of an organization’s full attack surface. This technology relies heavily on asset data provided by security and IT teams, which is typically incomplete or outdated. As a result, attack surface scanners inevitably miss some assets, leaving them stranded outside the scope of an organization’s cybersecurity program.

ASM solutions also typically have a high false positive rate, which requires manual intervention to assess. Since this takes time, most asset repositories provide an incomplete and outdated picture of cyber risk.

The Solution: Combining Automation with Human Security Expertise

If automation alone isn’t the solution, what is? Combining automation with the reconnaissance skills of handpicked security experts.

Security testers and researchers frequently uncover unknown assets during their work. Unlike automation, which can only uncover assets using a logical, brute-force approach, humans can often recognize discovered assets as belonging to an organization even if they aren’t linked to other known assets. This makes human security experts an ideal counterpart for automated tools to help any organization uncover and manage its full attack surface.

HackerOne provides the incentives, technology platform, and workflows security experts need to formalize this discovery process and submit new assets directly to the organizations they work with. The solution includes a dynamically updated asset inventory that becomes the single source of truth for an organization’s attack surface.

Unlike other solutions, ours ingests results from HackerOne’s continuous scanner, imports results from other solutions, and captures assets uncovered by our community of security experts. This hybrid approach to ASM is substantially more effective compared to pure automation.

Enterprise customers see their visible attack surface visibility more than double with HackerOne, often discovering hundreds or thousands of previously unknown assets. At the same time, they are able to reduce the time and effort required for asset inventory management and maintenance.

Bolster Your Security Strategy with Human Expertise

To help your organization gain a complete picture of its attack surface by combining automation with expert human-powered security, contact HackerOne today.

Over the last decade, many organizations have seen their attack surface soar out of control.

Digital transformation initiatives, cloud migrations, and increased uptake of user-centric technology architectures have led to huge growth in Internet-accessible assets. At the same time, the number of CVEs reported annually has risen substantially.

As a result, security teams are scrambling to secure known assets while maintaining a complete picture of their asset inventories—and often falling short on both counts.