johnk

Security at Startup Speed: Enterprise Grade Security from the Start

Security at Startup Speed: Enterprise Grade Security from the Start

Launching a startup is a fast-paced, exciting challenge. You’re responsible for delivering the software that drives your business forward. You also share responsibility for making sure the software is secure. Balancing both responsibilities is difficult.

Doing security “right” doesn’t seem to fit a startup environment at first glance. The focus is often on getting functionality done and shipped as quickly as possible. There’s no time to stop development and perform a detailed security review or penetration test.

Startups today must adapt to a rapidly changing environment, completing security tasks along with code deploys, and automating security scans as much as possible. But even with these measures, security vulnerabilities find a way to slip through the cracks.

That’s where hacker-powered security can put out the embers of the fire you may have missed. Hacker-powered security is any technique that utilizes the external hacker community to find unknown security vulnerabilities and reduce cyber risk. Common examples include private bug bounty programs, public bug bounty programs, time-bound bug bounty programs, and vulnerability disclosure policies. It gives you a constant scan of your software using real-world exploits every day. High-quality bugs are delivered to your doorstep by experienced hackers. All you have to do is fix them.

Now you’re thinking, “I don’t have 100 security professionals in my organization to run a bug bounty program.” You likely feel a bug bounty program is a great idea, but best left for when your organization has more funding or a larger application security program.

It is possible, even right now. You can scale your application security team without hiring more security engineers. Let’s look at how startups just like you have successfully launched bug bounty programs with HackerOne, and why they feel it was the right choice to start with bug bounties early.

How Hacker-Powered Security Allows Startups to Launch Smart

Mapbox builds tools allowing developers to take advantage of location data within their apps. They started their bug bounty program in March 2015 with a simple security@mapbox.com email address and a vulnerability disclosure policy.

They found manually tracking bugs was a hassle and began using HackerOne’s bug bounty platform and launched a private bug bounty program. 

“We chose HackerOne as it not only connected us to an existing community of seasoned security researchers but also offered productivity features that automated aspects of the bug bounty triage process. By allowing us to start off with a private program and slowly invite more researchers, HackerOne also made it possible to scale our bug bounty program as we ramped up our security team.” -- Alex Ulsh, former InfoSec Engineer at Mapbox

Nextcloud is a file sync and collaboration service that differentiates itself by putting security first. Security, privacy, and control are key parts of their business strategy. In order to provide the best in class security their customers require, Nextcloud turned to hacker-powered security at HackerOne for help in securing their solutions.

So how has hacker-powered security helped Nextcloud launch smart?

“We obviously can’t hire enough engineers to protect against every possible vulnerability, but we can use our bug bounty program to add on-demand expertise where we need it and continuous coverage nearly everywhere else.” -- Frank Karlitschek, Founder and Managing Director of Nextcloud

Crowdsourced quantitative investment firm Quantopian takes security very seriously. Quantopian ’s members submit quantitative investment algorithms and get paid based on their performance. The source code of these algorithms must remain safe from prying eyes. Even Quantopian doesn’t see the source code. They’ve come to HackerOne and use hacker-powered security to protect the valuable code licensed by their members.

Bug bounty is now the foundation of security for Quantopian. Here’s why:

“We found that, once again, hackers were finding things that the expensive consultants should have found but didn’t. At this point, we were convinced that HackerOne’s model was superior to paying consultants for pen-testing, and we’ve become even more convinced of that as our HackerOne bounty program has matured.” -- Jonathan Kamens, CISO of Quantopian 

Flickr has been using hacker-powered security since November 2018, and have seen impressive results even in such a short time. Startups like Flickr understand that if security is not the foundation of a technology solution, it simply won’t succeed.

“Bug bounty is a crucial element to our larger strategy. While we train and encourage our teams to think about security as being paramount when things slip through the cracks we’re glad we have bug bounty hackers researching the site and keeping our users safe.” -- Alex Seville, Senior Engineering Manager, Flickr

Grammarly helps over 15 million users make their communication clear and effective wherever they type. They also take security seriously and know that users must feel their data is secure to trust the tool. They’ve been using hacker-powered security for over a year and recently took their bug bounty program public.

Grammarly’s VP of Engineering, Joe Xavier, has these tips to share with other startups:

  • It has to be a real priority — your engineering team needs to be ready to respond quickly. When you set priorities, you need to have clear expectations within your engineering team about timeliness, responsiveness, and who triages the bugs.
  • Open the program up gradually to allow your team to scale and adapt. For example, start with a private program, as we did.
  • Pay attention to your triaging to make it more effective. Over time you’ll get better at identifying duplicates, and the difference between low-, medium-, and high-severity threats.
  • Identify an engineer who has a broad understanding of your stack to be consistently part of the program, so they can identify systematic issues and drive efforts to fix root causes, as opposed to merely fixing isolated issues.
  • Tap into security at scale for every product launch with a bug bounty program

Your fellow startups are leading the way with hacker-powered security. No matter how large your engineering team is, hacker-powered security helps startups launch with confidence. Bug bounties add a large group of security researchers to your team who are constantly checking to make sure your software is as secure as possible. What engineering leader doesn’t want the help of thousands to secure their app?

HackerOne has options for every company, big or small. We’ll help you scale over time. We’ll help you launch smart.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report