I hope that anyone reading this can take away a ‘ stay humble ’ mentality – it will take them a long way .
COVER STORY
is no longer there , or there is a security incident and you need to remove a bunch of alerts . So , the continuous aspect of HackerOne is what is very appealing and gives us confidence .
How did the launch of the public bug bounty program mean you could immediately identify potential vulnerabilities as the product evolved ?
We have a security software development life cycle and anything new that launches will typically be included in our bug bounty program . The team knows that when it launches a new feature , we expect it to have added it to the HackerOne bug bounty scope on day one . Our team works closely with our development team and there comes a point where we have done our security review and found all that we can , we know you will launch it soon for customers , so let ’ s just make these features available in our bounty program even in advance of that launch . In some cases , this definitely yielded us new insights that we had not thought about , long before our product is launched and adopted by our customers . We are super proactive about this , it ’ s part of our security development life cycle .
How do you ensure security is a continuous process within your operations and how would you now describe your organisation ’ s security culture since working with HackerOne ?
Working with HackerOne has definitely helped us to have a security culture that is really developer-driven because ultimately , security is everybody ’ s job but developers make a lot more security decisions on any given day , compared to security engineers or security researchers . We have a security champions programme where each large product area has a particular champion communication channel ( via Slack ) and it ’ s all created out there in the open . Whenever there ’ s a new HackerOne ability , as soon as it ’ s triaged it ’ s shared in the channel automatically in our communication platform ( Slack ). People quickly engage with it so it ’ s deeply integrated into our security culture .
Alex Rice , Co-founder & CTO , HackerOne , expands on this .
Do you have any advice for CISOs in terms of improving their security programme ?
A great lesson for CISOs is just to stay humble with your security programme . Grammarly clearly has a thoughtful industry-leading security programme with pentests and red teams and scannings and secure software development life cycle and developer education and all these things , so it doesn ’ t think it ’ s smarter than everybody else out there . It knows it has things it ’ s missing and the organisation is structuring its security
I hope that anyone reading this can take away a ‘ stay humble ’ mentality – it will take them a long way .
programme around that . I encounter way too many security teams that can ’ t admit to themselves that they ’ re not perfect and they present this invulnerability which is wholly incompatible with how modern software is built . I hope that anyone reading this can take away a ‘ stay humble ’ mentality – it will take them a long way .
What was your company strategy going into this and how would you summarise the collaboration ?
Something that was very clear from the beginning with Grammarly was that the engineering and development team were deeply involved and engaged in getting this right . It sounds like such a simple thing to say on the surface , but in practice , only a minority of our customers have an engineering leader or technology leader engaged in earning the trust of their customers . So , we were thrilled when Grammarly came on board and I think that really influenced how we approached the partnership .
I think some elements of that are reflected in how I talked about the programme that are unique to technology led organisations versus areas where security is a bit of a bolt-on risk management function at the end . We definitely tailor our engagements to match those two personas . We have customers that are very clearly technology driven and we have customers where security and privacy is a cost centre trying to minimise downside to the business and I think it really shows when a partnership leads with this being a core part of the solution . u www . intelligentciso . com
53