Home Hacker How OneWeb is Safeguarding its Belongings with the Hacker Neighborhood

How OneWeb is Safeguarding its Belongings with the Hacker Neighborhood

How OneWeb is Safeguarding its Belongings with the Hacker Neighborhood

We just lately sat down with Wendy Ng, Principal Cloud Safety Architect at OneWeb, to speak about their expertise with their personal HackerOne bug bounty program. Wendy shared OneWeb’s strategy to fortifying their cloud and utility safety and why the group believes the experience of hackers can finest defend the dear belongings beneath their purview. Learn this Q&A to listen to why OneWeb considers the hacker group key to safeguarding the programs that help LEO satellites.

Inform us who you might be.

Hello, I’m Wendy Ng, OneWeb’s Principal Cloud Safety Architect and a part of the Shared Companies group that helps and protects each a part of our group, its infrastructure, belongings, companions, and prospects. With a background in infrastructure and cloud safety, I’m a skilled scientist with a doctorate in Medical Genetics from the College of Oxford. That coaching and give attention to collaboration have influenced my need to share data and expertise with the group as a part of my profession in cybersecurity.

Having written over 70 blogs, together with an article for the Cloud Safety Alliance, I’ve additionally had the privilege of sharing experiences and observations from the business at conferences, together with keynotes at Blackhat and the Monetary Occasions Dwell webinar sequence. I’m very a lot a technophile: I consider science and expertise will assist to propel progress and improvement.

Why is cyber resilience so essential to OneWeb?

We’re a satellite tv for pc telecommunications firm specializing in utilizing low Earth orbit (LEO) satellites for egalitarian broadband connectivity within the hardest-to-reach locations on Earth. Regardless of the criticality of the web for our digitized lifestyle, entry may be patchy or non-existent for giant areas of the globe. And even in developed nations such because the U.S. and U.Okay., there are areas the place dependable, quick, and reasonably priced broadband connectivity shouldn’t be out there.

Given the significance of the web because the infrastructure that handles a few of our most delicate info and important actions, safeguarding the programs that help our answer is essential for OneWeb. With the Shared Companies group’s a long time of sensible expertise in defending organizations towards cybersecurity assaults, we’re additionally pragmatists and perceive that controls have to be proportional to stakeholder necessities.

We strongly consider in “Security through Transparency” quite than the legacy “Security through Obscurity” strategy. For that reason, we began a Vulnerability Disclosure Program (VDP) with HackerOne in July 2021, shifting on to a non-public bug bounty program in March 2022. We purpose to make our program totally public within the close to future.

Inform us about your digital on-line providers.

Along with being a technology-focused satellite tv for pc communications firm, we’re additionally a contemporary digitized group with cutting-edge enterprise and operational programs. Aligned with OneWeb’s ‘Cloud First’ strategy and to raised help the enterprise, these providers and programs can be found on-line, which helps help usability however considerably will increase the assault floor for the group and our stakeholders.

As a enterprise, we adhere to the precept of Safe by Design. Nevertheless, no observe, sample, customary, or precept is ideal. The group of specialist hackers by means of the HackerOne program has been invaluable in securing our belongings and driving behavioral change throughout improvement and supply groups at OneWeb.

Inform us a couple of time a hacker helped you notice and repair a vulnerability development.

OneWeb is a cloud-first group, and the place doable, our choice is to leverage SaaS choices for ease of use and reduce administration overhead. One drawback of SaaS choices is that performing particular pentesting shouldn’t be often doable. With the HackerOne program, nevertheless, now we have been capable of embrace a stage of assurance, even on third-party programs, because of specialists locally.

One instance of wonderful work from a group member includes figuring out an important mirrored XSS vulnerability in a SaaS product beneath the oneweb.internet manufacturing system. OneWeb’s inside improvement group submitted a report back to the SaaS vendor, who launched a patch for all of their prospects (a vulnerability assigned a CVE with a 6.3 CVSS rating for the potential launch of buyer info). In consequence, our bug bounty program immediately improved the safety of a serious vendor’s SaaS product.

How have hackers helped you harden your assault floor?

The HackerOne group has been thorough, skilled, responsive, and eager to deep-dive and assist us discover points! Experiences from them have been detailed, usually with step-by-step guides and movies demonstrating the vulnerabilities they recognized.

One vital discovering recognized info that was accessible in a way we did not approve. This discovering helped us enhance choose info administration and governance processes, introduce new monitoring and detection capabilities, and harden the assault floor consequently.

How do you advocate utilizing vulnerability insights to coach inside groups?

Three key actions must occur as soon as a HackerOne report is submitted:

  1. Absolutely triage and perceive the discovering, verify its validity, and (the place danger warrants) assign remedial motion to the suitable group;
  2. Work with the group involved and the HackerOne group member to resolve the difficulty (and retest afterward); and
  3. Look to introduce processes, procedures, patterns, or controls that can scale back the chance of comparable vulnerabilities sooner or later.

Sadly, many organizations fail to deal with the third step, which is arguably crucial!

How do you report on the worth of working with hackers?

The place doable, in government reporting, we spotlight the monetary, reputational, or enterprise injury that would come up from an recognized vulnerability remaining energetic – in some instances, the enterprise worth of HackerOne group findings has far exceeded our whole annual bug bounty finances! We group these financial savings into three classes:

  1. Useful resource financial savings for our inside group that doesn’t must spend time risk looking.
  2. Monetary financial savings, by way of decreasing pricey third-party penetration testing.
  3. Avoiding fines or buyer reparation because of vulnerabilities that may be discovered too late.

Typically, each legitimate report submitted by the HackerOne group reduces our assault floor and informs and trains inside groups in safe improvement and data dealing with practices.

Additional, we’re within the means of rising an inside Purple Staff. Nonetheless, the power multiplier out there to us by means of the HackerOne program permits that group to focus extra on inside programs and belongings that aren’t uncovered to the web, finally offering useful resource financial savings for that group.

What recommendation would you give to others planning to begin a bug bounty program?

Our strongest recommendation is “don’t rush.” It’s simple to get excited in regards to the immense worth the HackerOne group offers and ship too many invites to a non-public program or open this system to the general public earlier than you might be able to deal with the rise in workload.

Our strategy has labored effectively. We began with a Vulnerability Disclosure Program (no bounties, however a chance to deal with the low-hanging fruit), then moved on to a personal bug bounty as soon as we believed our inside groups had been able to deal with triage and remediation.

Irrespective of how safe you consider you might be, be ready for some surprises. Don’t assume the workload from HackerOne reviews will probably be gentle, and do not forget that engaged on false positives and legitimate findings takes effort and time.

Our remaining piece of recommendation: guarantee your Authorized group is totally on board together with your program earlier than you begin – you’ll be interacting every day with a group of hackers, an idea that takes some getting used to 😊.

What’s the most important lesson you’ve realized from hackers?

The primary lesson OneWeb has realized is that vulnerabilities and data exposures are discovered shortly. It’s not the case that you could get away with exposing one thing weak for a number of hours and hope no person notices! This reinforces our push to make sure safety testing, vulnerability evaluation, and safety QA is embedded in each supply pipeline.

The rest you’d prefer to share?

To get the best worth out of your bug bounty program, it’s essential to be open, communicative, and pleasant with the hacker group. By means of transparency, generosity, and good communication, now we have constructed a bunch of trusted, skilled hackers that make investments their time to grasp our enterprise and the worth of particular belongings to our group. These efforts have resulted in additional targeted reviews and a few preliminary triage carried out for us!

Keep in mind, the HackerOne group isn’t just on this for the money; they’re eager to make the web, and the world, a safer place.

Click on here for extra details about bug bounty packages.

Click on here if you’re a hacker curious about becoming a member of OneWeb’s bug bounty program.

Author: elizabeth@hackerone.com
Date: 2022-11-15 11:00:00

Source link


Please enter your comment!
Please enter your name here