First, I’ll talk about the inherent dangers related to M&As as assault surfaces develop.
A Rising and Unprotected Assault Floor
An ever-expanding assault floor is a world concern for many organizations and complicates an M&A, particularly for CISOs. The M&A prospect could have {a partially} unprotected assault floor, thus growing safety danger coming within the type of a spot between the assault floor they’ll and do defend and the assault floor (and accompanying property) they should defend. This hole is what many M&A prospects convey to the desk. And whereas an M&A could have undisputed enterprise and strategic worth, CISOs should nonetheless tackle the safety dangers concerned in buying one other group’s property and its present assault floor, totally protected or not.
HackerOne just lately launched The 2022 Attack Resistance Reportthe place we surveyed 800+ firm IT executives throughout American and European organizations. Our objective was to know the affect of a quickly altering software panorama on a corporation’s readiness to defend in opposition to cyberattacks. General, organizations reported solely 63% of their complete assault floor is immune to assault, leaving a vulnerability hole of 37%. That hole is important, however on common, over 44% of these surveyed additionally acknowledged they lack confidence of their capacity to handle the dangers launched by this hole. In case your group is planning an M&A, it’s possible you’ll be buying a 37% vulnerability hole, which equals safety danger.
M&A Diligence Could Not Be Sufficient for CISOs
For the CISO, evaluating safety is a regular a part of M&A diligence, however the consequence hardly ever adjustments the core “go/no-go” choice. Moreover, diligence is commonly checklist-based, supplemented by automated tooling, or each. These strategies could miss figuring out the vulnerabilities and flaws in a corporation’s safety, your entire assault floor, and unprotected property. When M&A closes, the CISO is commonly with out an correct evaluation of the brand new unit’s precise safety. As well as, the acquirer is straight away answerable for the brand new unit’s property danger.
HackerOne’s M&A Expertise—How a Bug Bounty Eradicated Threat
At HackerOne, we just lately went by an M&A and are thrilled with the current PullRequest acquisition. PullRequest code reviewers can speed up engineers’ improvement work by connecting them to prompt experience in safe code evaluate.
PullRequest’s know-how builds on our historical past of enhancing software safety and emphasizes developer-first options. PullRequest reviewers stop bugs from reaching manufacturing by providing software program testing nearer to improvement. This helps our prospects shut their attack resistance gap between what they’ll defend and what they should defend.
As HackerOne’s CISO, I used to be instantly answerable for any enterprise danger related to the acquisition of PullRequest. After all, I turned to our product portfolio to assist tackle any doable danger. We rapidly introduced PullRequest in scope for a bug bounty program utilizing HackerOne Bounty.
We added PullRequest property for the bug bounty, which notified all hackers subscribed to our program. We began seeing legitimate safety vulnerabilities are available in inside the first hour. The instant outcomes continued. Inside 48 hours, we had obtained 23 submissions, together with a legitimate excessive severity difficulty. The excessive severity difficulty was a blind Cross-Website Scripting vulnerability disclosed here. This discovery—and this system’s total success—illustrate the ability of the moral hacking neighborhood. This excessive severity bug had been dwell within the product for 5 years. When our hackers had been invited and incentivized to look, they discovered it inside 21 hours.
Utilizing HackerOne Bounty, we instantly addressed the safety danger that got here with our acquisition of PullRequest, undetected throughout diligence.
Conclusion
Fast digital transformation, globalization, M&As, divestitures, restructuring, and extra are just some elements that contribute to the elevated calls for on safety groups. Many are understaffed and lack coaching. But, it is troublesome for a lot of organizations to seek out the time and sources to handle these points. There has by no means been a higher want for hackers’ immediacy, experience, and creativity to complement safety groups and their present processes and automatic instruments.
The HackerOne Attack Surface Management Platformnow extra sturdy with the current acquisition of PullRequest, may help your group eradicate M&A danger, defend an ever-expanding assault floor, and shut your assault resistance hole. Contact us to study extra about reaching assault resistance with HackerOne.
Author: Chris Evans
Date: 2022-06-14 12:00:00
