Companies have long neglected security in the development lifecycle, instead of accepting that it is part of everything they do. The push to bring security to the forefront of product development, as well as to the minds of all employees, is costing organisations more than they anticipated. Bigger companies have recently made headlines with their lucrative bug bounty programs that only focus on external security threats.
Take Google for example: They recently paid £17,875 in bounties to bug-reporting researchers. The number of organisations launching successful external programmes is vast: Pornhub launched a bug bounty programme for security types not long ago, with Microsoft adding to their own programme schedule via their Nano Server technical preview.
A recent study has found undetected insider threats present in 100 percent of businesses. These threats are not necessarily malicious: Developers can inadvertently create problems due to their lack of security knowledge. However, external threats are still considered the main priority, and while they are obviously important, are companies putting too much focus on them?
Internal Bug Bounties secure the right mindset
‘Hackers for hire’ can make a comfortable income off bounty programmes. They are constantly trawling open invitations from companies such as Facebook, Dropbox, GitHub, Google, etc., to find vulnerabilities and be paid for the trouble. There is even a master list for the aspiring bug bounty full-timer. The question is whether or not the existence of these external bounty programmes is enough security for organisations?
Having an internal bug bounty programme, targeted at reducing the number of vulnerabilities that are easy to exploit, is a great mechanism for reducing insider threat. The programme taps into the inherent nature of every engineer to want to create and hack: Teams know their infrastructure best, its strengths, as well as its weaknesses. This also gives everyone an opportunity to have a very direct impact on security within the organisation. At Zalando, our internal bug bounty programme underlines the need to hack, learn from mistakes, and in the process, develop the most secure products.
Becoming radical about security
Our Radical Agility work culture has put security in the spotlight. Developers work in autonomous teams, bound by organisational trust, and use the technologies they think will best fit the job, as well as the company as a whole. This all happens amongst team members without the restraints of a traditional, hierarchical management structure.
With the Radical Agility framework at the helm, Zalando Tech has been able to put several initiatives in place to foster a broader security mindset throughout the company.
Finding and fixing bugs is not enough. You also need trained experts; great communicators and ambassadors who can convey the right mindset. Zalando’s grassroots initiative, known as Security Champions, was developed to empower its employees with enough security knowledge to ensure they are able to make the right decisions without needing to consult the Security Team. They are the Security Team’s eyes and ears, well versed in the company’s security fundamentals, while the bulk of the work can still be fueled by innovation. One voluntary nominee per team watches over day-to-day security decisions, backed by their training on threat modeling, data privacy law, and security concepts such as Defense in Depth and Security by Default. Not only does this increase security awareness amongst developers, by developers, it also underlines the fact that ultimately, security is everyone’s responsibility.
It’s important to underline that this initiative is sustained by volunteer employees, who want to add to their expertise and strive for excellence. These programs have several layers of benefits: Organisations become less error prone when building and releasing new technology, on top of security and architecture principles being adopted broadly throughout the company.
Stop adding security as an afterthought
It’s already been said: Security is part of everything you do. Do you want to curb your biggest security threat? Then you need to get radical about security. Nico Sell, co-founder of end-to-end encrypted messaging app Wickr and notoriously private person, stressed to CNBC that: “The more data that you have the more you have to protect".
Company-wide efforts are crucial if businesses are to combat the number of insider security threats most companies boast. While it involves a dimension of checks and balances, implementing security during every step of the development lifecycle must never cause friction or slow down innovation.
It’s in everyone’s interest to think security – it has to be visible and explicit, and there should be an investment from all levels of management in programs that are loud and colourful. When you invest in training and foster a culture of learning and improvement, the security mindset becomes a matter of course for a well-functioning organisation.
Security needs to stop being an afterthought of the production line. Take the steps your company needs to make security second nature.