Looking to expand beyond barcodes and become a more wholistic provider of hardware, software and cloud services, Zebra Technologies underwent a business transformation that could very well have passed on additional cyber risk to its clientele through an unproven array of new solutions.
To overcome this challenge, the Illinois-based tech company quickly stood up a three-pronged strategy consisting of a code pentesting, a vulnerability disclosure program (VDP) and a bug bounty initiative, according to Mike Zachman, CSO at Zebra, speaking on Tuesday at HackerOne’s Security@ virtual conference.
As a result, Zebra was able to “shift left,” baking security into its product development process, while also gaining buy-in from the coders and developers working on the company’s new innovations — not an easy task.
Zachman set up the scenario: “We have really been on a mission to move from being … just a hardware company, to a hardware company that also has software solutions and services associated with it,” he explained. “Certainly, that changes one’s security lens. It's a completely different environment to have a cloud-based SaaS solution available for customers, compared to having hardware-based printers that … go outside of Zebra’s control and get installed and run and operated by the customer. So we realized we needed to evolve ourselves and our security program to support both of those extremes.”
To describe the overhaul of its vulnerability-hunting effort, Zachman borrowed the recently politicized metaphor of “draining the swamp.”
“I said, ‘We’ve got this swamp out there, and we know that there are some big ugly alligators out there,’” said Zachman. “We don't know how many, we don't know how big they are, but we want to get rid of the swamp,’” starting with the biggest, most imposing threats first — and then continue to monitor the environment after that for lingering threats.
“We wanted to go through our entire product portfolio and test it and really understand: Hey, are there problems that we want to get resolved? And [we had] an aggressive timeline to do that,” he continued.
The exercise of finding and hunting the largest "gators" was initially accomplished through risk assessment exercises. “We did the old heat map and we went after those areas that we felt were the highest priority first,” said Zachman.
But the timetable turned out to be so accelerated that traditional pen testing on its own was clearly going to take too long and be too expensive. In response, the company created a VDP, while also initiating a bug bounty initiative to help supplement the effort. Some low-risk products were instantly rolled into the VDP and bug bounty program, while others were first placed through a pen test first.
Due to these efforts, Zachman is now better at integrating security into its products and solutions during the development process. “It's not something that we layer on at the end; it's something that we want to design in from the beginning… so that it's secure by design,” he remarked.
“This continuous monitoring approach that you can get through a robust vulnerability disclosure program and bug bounty program really underscore a more mature program,” said Zachman. “And so what we found is that by partnering with a hacker-powered approach, the effectiveness was really evident very quickly,” from both a cost and quality point of view.
By comparison, traditional pentests that rely on generic scan tools too often are just “point out the obvious,” Zachman said. Consequently, in those cases, “you … lose the attention span of developers who are busy developing.”
Indeed, “traditional pentesting hasn't adapted to the speed and scalability needed to keep pace with a modern software supply chain,” noted Chris Dickens, security engineer at HackerOne, in a separate but related conference session looking at supply chain security. “I also think there's a security skill shortage here, as well, meaning it's hard to find the right people to fork to perform these tests at the right time.”
But by relying on a more formalized program leveraging the greater hacking community, Zebra doesn’t have this program. Now, when a hacker-powered vulnerability report comes in, “there’s proof-of-concept code attached to it, there's suggested remediations attached to it. And our developers are looking at these things and the lack of false positives,” and realizing that “the quality of the findings is really superior to what I've been accustomed to in the past,” Zachman said.
Additionally, through a ticketing and workflow process, Zebra is able to easily feed these security reports to the product development teams in what’s essentially an automated intake process.
As a result, “we're getting accolades from the product development teams,” who have bought in to the program, Zachman continued, calling this well-earned credibility “one of the really big highlights or benefits” of the program.
"This is a significant development, as some organizations can still be wary at times of contracting hackers to wade through their code, looking for flaws. You just sort of have to take the leap of faith, and we took the leap of faith with some tests and some trials and toes in the water. And then those quick wins, show up. And that's when it starts. The momentum builds.”
During his panel session, Dickens was one of three HackerOne execs who recommended that any software or web developers that uses third-party code should help reduce the risk of supply chain attacks by requiring their software vendor partners to institute their own vulnerability disclosure policies, while also persuading them to allow pentesting of their code via ethical hacking community.
“You report the vulnerability through the established channel, and boom, it's off to be triaged and remediated, cutting the exposure window much shorter,” said Kayla Underkoffler, senior security technologist at HackerOne. Unfortunately, many vendors still “drag their feet in this area,” considering a VDP a “nice-to-have,” but not an established best practice.
To debunk this misnomer, Underkoffler said that companies can actually point to “many great examples of VDP mandates out there” that already exist, including the U.K.’s Code of Practice for Consumer IoT Security or the U.S. Department of Defense’s VDP for the Defense Industrial Base, the latter of which uncovered over 132 vulnerabilities across 270 assets during the first six months of the program’s existence.
“In fact, 63% of global organizations require their IT suppliers to have a VDP,” Underkoffler stated. So “if you're struggling to get your vendors on board, you can now comfortably emphasize that this is a best practice.”
If your vendor partner already does have a VDP, you still want to make sure it’s a quality, effective one, and that’s where assessment comes into play. One possibility, said Underkoffler, is to present an assessment questionnaire that seeks out metrics of success. For instance, she said, “In the past 12 months, what's been your mean time to remediate externally discovered vulnerabilities?”
“Questions around operational metrics, will ensure their VDP is not just an endless black hole email address, but a high-functioning program,” Underkoffler said. “If they don't know the answer to these questions, or if they say they haven't had any vulnerability reported at all. Well, that might be another red flag.”
Additionally, the trio of HackerOne executives, which also included Alex Rice, CTO and cofounder of HackerOne, reminded attendees not to overlook the risk of open-source code.
To help developers and their clients shore up the software supply chain in this regard, HackerOne on Tuesday introduced key improvements to the Internet Bug Bounty (IBB) program, an initiative founded in 2013, through which ethical researchers can spot and report flaws in open-source coding projects.
Improvements to the program for HackerOne customers include pooled spending and defenses, split bounties between hackers and maintainers, and a simplified vulnerability submission process.