The attract of generative AI and the significance of the fundamentals.
Whereas the appearance of generative AI poses new challenges, it is necessary to not neglect the basics. Implementing measures like MFA, phishing prevention, patching, and addressing misconfigurations ought to stay a spotlight. Grammarly has provided an AI-enabled product since earlier than AI was a buzzword and has already launched its personal generative AI product: GrammarlyGO. Many CISOs now have to consider how generative AI impacts cyber threat, however for firms that already reside within the AI area, it has been simpler to see by means of the thrill and keep true to their menace mannequin.
- “Generative AI tools are new, but most of the existing fundamentals of cybersecurity haven’t changed. It can be easy to get distracted by the shiny thing, but an offensive security team should continue to do what they always do: finding issues in the core ways in which their systems are built and configured.” – Suha Can
Bug bounty helps validate – or invalidate – your safety beliefs.
Are we actually safe, or will we simply really feel safe as a result of we’ve deployed controls? As an organization’s safety maturity will increase, it turns into essential to validate the effectiveness of safety packages. This includes assessing elements akin to time to remediation, steady monitoring of safety controls, and questioning assumptions. Grammarly views bug bounty as a systemic approach to uncover flaws in its assault floor and a approach to problem its controls with unconventional testing strategies.
- “Preemptive security is about working to disconfirm your beliefs. The first step is usually doing something like a pentest where you validate your security, but after that, you must start seeking invalidation of your controls. The underlying mantra is that by being humble and second-guessing yourself, you are actually able to be a much better guardian of customer data.” – Suha Can
Worth to the board: “Seeing around corners.”
Constructing merchandise securely requires asset stock, cloud configuration scans, and static and dynamic evaluation, however these measures alone are usually not enough. A mix of scalable and non-scalable safety approaches is significant to make sure that all bases are coated and helps reassure your board of administrators that you just aren’t counting on any single management to maintain your crown jewels secure. Grammarly works with HackerOne to catch what the scanners miss and to uncover blindspots in its assault floor – a mission that depends extra on the creativity of hackers than on cutting-edge expertise.
- “The main value that I communicate to the board is that HackerOne helps us find out what we don’t know and helps us see around corners. That resonates very well with the executive team at Grammarly. It’s not just that we fixed 15 new vulnerabilities this month; it’s typically a bigger conversation where I share anecdotes about how reports have led to more insights and investments.” – Suha Can
Worth to the engineers: “Focus and prioritize.”
Grammarly makes use of insights and developments from its bug bounty program and different preemptive safety initiatives to focus its efforts. Grammarly’s safety workforce conducts a weekly overview of vulnerability studies from HackerOne and different preemptive safety sources; it then initiates a deeper overview of any belongings or companies with spikes in studies or the potential for variants of latest vulnerabilities.
- “A vulnerability for a specific service may also apply to other services you have, or a slightly different attack on the same service could succeed. Those additional vulnerabilities aren’t in the report you receive from the hacker, but because you get that first report now you can investigate further and uncover any additional issues. This also leads to attack surface reduction and a ‘defense in depth’ style hardening across your systems.” – Suha Can
Measuring bug bounty program well being.
Grammarly’s key indicator of bug bounty program well being is the variety of distinctive researchers submitting legitimate vulnerabilities each quarter. In a world the place new bug bounty packages launch day by day, sustaining hacker engagement is crucial. Grammarly’s HackerOne program has run for 5 years, and Grammarly retains it contemporary by including new scope (like GrammarlyGO, Grammarly’s new generative AI product) and operating promotions (just like the $100k important bounty that Grammarly debuted).
- “When I look at my board metrics, the main metric I convey to the board about the health of my bug bounty program is the number of unique researchers that have reported at least one vulnerability in a given quarter. The program is only as good as the engagement from researchers, and researchers can spend their time on any program.” – Suha Can
This dialog between Suha and Alex underscores the significance of a preemptive method to cybersecurity. Embracing AI developments whereas sustaining a robust basis in basic safety practices is paramount. On the identical time, the facility of bug bounty packages to validate (or invalidate) safety measures by tapping into the attitude of an attacker is plain. Because the cybersecurity panorama continues to evolve, we hope these insights present steerage as you navigate this advanced and ever-changing area.
Author: ktansley@hackerone.com
Date: 2023-06-14 12:00:00
