(music) >> Hi, welcome to today's session of the CUBE's presentation of the AWS STARTUP SHOWCASE. New breakthroughs in DevOps, Data Analytics and Cloud Management Tools. This segment features HackerOne for DevOps. I'm Lisa Martin, and I am joined by Alex Rice, the founder and CTO of HackerOne. Alex, welcome to the program. >> Thank you for having me. >> Alex and I are going to spend the next 20 minutes or so talking about strengthening cloud application security with HackerOne. I want to go ahead Alex, and start you founded HackerOne back in 2012. Talk to me about, why you founded it? What were the glaring obvious gaps in the market? >> So I, I started out with the software development engineering background before moving into security about halfway through my career. And one of the things that's always bothered me about the security industry is how unreliable our feedback loops are. We only ever really get quality software by having as many, many points of feedback as possible in there from customer surveys and analytics and monitoring. And the security industry has just been really spotty about that. So when I was running the product security team for, for Facebook for a number of years, one of the surprising things that we did, that ended up being one of the best feedback loops we had, we just said to the, to the, the world hackers out there, if you find a vulnerability, find a security flaw, find something that we missed, we'll reward you for it. And we were really blown away with what very creative folks all across the world came back with. And so this concept of inviting outside friendly hackers to point out your flaws in exchange for compensation, ends up being a very valuable tool for any engineering team and any, any security team, particularly those that are adapting to more modern, faster agile environments. >> Right? Like DevOps. So you've amassed a community of over 1.2 million good actors, ethical hackers as you say. How do you vet those folks since there's so many nefarious actors out there? >> It's a great question what we start with. The bulk of the programs that we run on HackerOne are public. They're open to the world. There are organizations like Facebook and GM and the department of defense that say to anybody out there, if you find something that we've missed, we want to know about it. So it doesn't, you're not giving the hackers any special permissions or access that they wouldn't normally have. You're, you're inviting them to collaborate with you. From there we learned a lot about the hackers skillsets and demeanor and their track record to then vet them for more private or targeted programs. So while there are these public programs, that is where those million hackers originate from that list is, is vetted and filtered down for more private engagements. Because most folks building technology, they don't need a million hackers to help them out. They need 10 of the right hackers on their team at the right time. And vetting them and matching those hackers to the right challenges is, is a core part of what we try to do here at HackerOne. >> One of the things that we talk a lot about on this program is, you know, the last five years, this shortage, the cybersecurity skills gap. Is, is HackerOne's answer to that? These 1.2 million ethical hackers who can find those vulnerabilities that are open vectors for criminals to exploit. >> It's part of it. It's very much a part of it. My personal hypothesis about this on a big part of why we have such a glaring skills gap is because we've tried to separate it out from core engineering and DevOps principles. The most secure products out there, the ones that hopefully you trust and we all use regularly. Security is a core part of their engineering practices. It's a core part of their DevOps practices and the skillset overlaps dramatically there. And so we've had a lot more success in involving the core DevOps and engineering teams in security practices and really doing it as, as any other component of, of quality software development. And the challenge of that is that you're not going to find everything that you need in a single job description. If you're building a modern application or deploying modern infrastructure, the diversity of skill sets that you need is just staggering. And if you try to apply the old employment model of, okay, I need a security expert on this application. I need an expert in AWS and Kubernetes and RDS, and queuing systems and encryption for my and database security and account takeover. You quickly realize that it's just impossible for every organization that needs all that expertise to hire somebody with all that expertise. So our, our approach and what we try to do is to make sure that the core teams own responsibility for that security, but they're able to tap experts when they need them at, at, in a model that is really much more acclimated to how modern software is built. >> Got it. Okay. Interesting. Talk to me about the HackerOne security platform. Let's kind of dissect that. >> Absolutely. So there's a, there's a few different types of programs that we run for customers. At our, at its hard. There are public programs that we refer to as, as vulnerability disclosure programs. This is usually a security ad, it could be as simple as a security ad for a email address report vulnerabilities. That's really just an invitation to the world out there that says. Hey, we, our application is available to the public and you as a member of the public, if you find a security issue that we should be aware of, we'd like to hear about it. And it's incredible the amount of value that software teams receive just from asking, this putting that invitation out there. Then in parallel with those, for the organizations that are looking for more talented, a deeper dive we've run bug bounty programs, which is a very similar flavor, but the, our engineering and software teams will post bounties for the specific types of issues that they care about. Meaning if you can find a way to compromise user data, or if you can get access to our infrastructure, we'll reward $5,000 or $10,000. And you're specifically asking people to help you find things that will align with your goals and protect your customers. And then the, the third model that we do are our security assessments. These are a very targeted point in time assessments. They're not ongoing commitments. There are when a DevOps team is deploying a new application or releasing a new architecture or running new infrastructure, when they need a very targeted set of expertise for a constrained timeline to fit into their release processes, we can run assessments of matching just a small number of factors to what you care about and tie all that into your to release process. >> Okay. Let's talk about now, we know, one of the things that we've seen in the last 18 months as this massive acceleration to digital, we've seen a much more cloud adoption and really lifelines. Zoom, Netflix, for example, being these lifelines. As more organizations are moving to the cloud, we think, well, maybe risks are getting higher. With respect to customers that are moving to AWS. How does hacker one security platform help? >> The potential of technology. If it wasn't clear before the pandemic started, it should be clear to everybody now, like it is, it's unbelievable the positive impact it's able to have on our lives. And at the same time, most people don't trust technology. We as a technology industry have done a poor job of earning the public's trust that the technology that many of their lives are starting to depend upon is as trustworthy as they needed to be. And that's not a new challenge. Like as long as we've been developing software, there have been bugs, there have been security problems, but it's really amplified it both with the pace of development and just how accessible that's becoming to that to the world. And so in, in prior development models where we were releasing software, much more infrequently, where it was deployed in very controlled environments and accessible only to specific people who happen to be in a physical location or had a particular corporate account, that's all starting to change. Software is being released so much faster at a, at a pace that their traditional security models were already struggling to keep up with. And now are just completely, completely outclass. That's the trend number one that's changed. It's just the speed at which we have to apply. Security is, is unprecedented in this new world. And then at the same time, the access has just gone through the roof, the way of operating a modern business and surfing modern customers dictates that we have to meet them where they are wherever they are in the world, which means the adversaries have the same level of access that we're now affording to our, to our customers. So for our financial services customers that have gone completely remote access in the, in the last year, that's a whole range of attack surface. It wasn't accessible for many of them are using cloud systems to do that. Our healthcare customers that previously a tech service, it was only accessible when you were actually in the hospital is now open in large parts of the public and has many many more private conversations than it did before. And it's more than anything else that realization that we need this technology to be always on accessible anywhere in the world and trusted because people need to trust it. Like their lives depend on it. Literally has, has really changed how we need to look at this challenge. >> Yeah. That speed at which the attack surface is just spreading. And I was looking at some cybersecurity data in the last week or so, and there's really no signs of it slowing down. We saw this, the rapid shift to remote work a year and a half ago, remote learning. And we've got obviously we're in this hybrid world now where, you know, companies are in hybrid cloud, we're in this hybrid workforce of some remote, some homes, some doing both back and forth with that attack surface spreading. Give me an idea of some of the customers that you guys are working with to help them with HackerOne secure their AWS environments. >> Yeah. Our customer base really follows technology adoption trends. All of our early customers were, were tech companies that are kind of the ones that pioneered this model. Facebook, Google, Microsoft, Twitter, Uber were the, the early tech companies that quickly over the first ones to realize that the traditional approach to security model was just insufficient for a new cloud forward environment. Behind them you'll find technological, technology leaders in every industry. It's hard to just talk about the tech industry today. When you look at any industry out there, you can find one or two examples of very technology forward companies. On the finance side, customers like Goldman Sachs and Capital One. They really view themselves as technology companies these days. They're not finished service organizations or banking organizations, they're first and foremost technology companies. They were the first, some of the first to adopt this, this model. On the military side, the department of defense was one of the first organizations to do this cause they've long had, they're both one of the most traditional organizations out there. They've always had innovation arms to adapting practices like this. The automobile industry was a little bit early on the technology adoption trend. As consumers started relying on and demanding more technology in their vehicles. They were one of the early adopters of, of a practice here. And in the more recent years, the line has just completely gone away. We don't really use what we were engaging with a customer you don't really even ask. Are you, what's your, what's your digital strategy? or do you have a technology team? or are you developing first party applications? Do you use any cloud services? The answer to it is just is it's yes. So much more often than it's not. I think there's the safe assumption in 2021 is if you're, if you're doing business, you are probably have a software engineering team, you are probably deploying on the cloud. And if you're not, you're probably not going to be doing business in the, in the next decade. >> Right. That's, that's going to be a big differentiator, but you bring up a good point that every you can, you can almost say every company these days is a tech company or needs to become a tech powered company, a data-driven company. That is critical to especially organizations in this climate being able to pivot continuously as our world is changing. I want you to walk us through Alex, some of the HackerOne assessments that folks can do specifically in the AWS environment. >> For specifically for AWS, what we found is there's a category of AWS and we're really a cloud customers that want the always on security feedback loops that come from bounty programs. And so we, we've had that offering for quite a while of folks that want a feedback, no matter when it happens, because they're continuously received releasing applications. But then increasingly one of the use cases that we discovered was folks were in the midst of moving new applications to AWS, almost on a, on a weekly or monthly cadence. And they need needed a security testing cycle that would keep pace with that. Particularly folks that are ongoing any type of cloud migration or lifted shift of their, of their applications. And so we, we rolled out at AWS tailored specific version of our security assessment product. You can get it in the AWS marketplace as well, that lets you spin up a targeted security assessment on demand through the, through your native AWS tooling, whenever you need it. And the most common use case being this, we plan to open up access to this application next week. We'd love to have some hackers kicking the tires on it this week before the whole world has the opportunity to do that. All of those findings are then integrated back into Rietta U.S security hub, and tailored in a way that is meant for the DevOps teams and engineering teams that are deploying to, to be able to tell us what's going on. We're not asking folks to, to break out into specific security workflows. We really fundamentally believe that security accessible to DevOps teams is, is what's needed to keep us all moving fast and ship trustworthy now applications in the cloud. >> Is that at all a facilitator, you know, when we talk about DevOps folks, security folks, Devsecops. We talk about sort of the, the cultural shift and developers needing the DevOps folks need to be focusing on getting applications out at speed, security folks, developers, you know, we don't want to have to have security responsibilities. Are you helping to facilitate some of those? >> Yeah. We are, and it is more of a personal opinion here, but as someone who's worked on on many engineering teams and built multiple application and product security teams, the strongest ones in the industry, the lines between the product team and the product security team or the DevOps team or the security team are non-existent, those experts exist on to. I hate terms like Devsecops. We, it's necessary to, to approach things, but like if you're going to have a term like DevSecOps, you need to expand it to like DevQaSec in for ops. And it's just, you can't possibly capture every skillset and the critical aspect of quality software development in, in a short little acronym like that. And to me, DevSecOps just feels like a, an attempt by the industry to get invited to a party that nobody wants them at. And I really think we have to rewire our thinking. And if you have a, a development and an operations team, which are the two core functions there that doesn't take hands-on responsibility for the security of what they're developing and operating you're in trouble. Right? The more you try to outsource that to another team, another set of expertise, the worst you're going to be. There's a, there's a analogy that I draw to this that is a little bit of a poor analogy, but it, if it works well for me. For those of us that have been around in software engineering for, for long enough, there was a huge push in the early two thousands to build quality assurance processes across the board. Like everyone was investing in QA and building our QA teams. And every study across the board showed quality just tank after people invested millions in QA and quality assurance. And when, when you dig into it, it's intuitive, right? Like as soon as you can say. Oh, thank goodness quality is now somebody else's job. I've got, there's a dedicated team that can think about quality and deal with quality. Quality goes away. And security follows the exact same paradigm. Modern software is too complex, too interconnected, to be able to expect somebody else to completely do it for you. And so we really try to consult our customers on you should be thinking about organizational structures and responsibility, major SIGs that ensure developers and operations have the seat at the table in the security of the product. And then the challenge is how do we get the right people onto those teams? How do we get the right experience to them versus bolting it on with another acronym in the middle? >> I love your opinion there. In terms of facilitating that the latter part of what you just spoke, how are you finding those conversations within customers going? Is this now, I mean, think about it from a security perspective, it's going up to the board level imperative. Are you finding, especially in the last 18 months that your conversations with organizations are changing as that escalates up the chain? >> They are, but we also take a very pragmatic approach to this. I give you a very, a, a fairly, a personal opinion there on how to do it. The reality is most organizations aren't structured that way. They have a DevOps team, they have a security team, and the two are often in somewhat of an adversarial relationship. And, and we, we certainly work within those environments. You certainly can have a mature security program in an environment like that. It's not like there's one silver bullet to solve it, but we do work closely with our customers to try to bring down those walls. And increasingly technology leaders are engaged and hands-on, and are looking for ways to make this better. Five years ago, the CSO, The Chief Information Security Officer was almost always our main buyer, and our main point of contact. Is much, much more common now to see VPs of engineering, CIO's, CTOs have direct line responsibility for, security teams. And I think we're starting to see the early shifts of work structures that reflect that. If you have a DevOps team and you have a security team, that's responsible for the security of what the DevOps team is doing, and they are reporting to the same executive where there are major points of bureaucracy and politics between them. Every executive we talked to feels that, they lived through an experience like that, and they're motivated to start bringing those balls down. >> They've been through that pain and know the imperative give up getting alignment. So we've talked a lot in the last minute here. So I'm curious, we talked a lot about what HackerOne is doing, what you're doing for the AWS community, what's in it for your customers, but I'd love to understand just really quickly what's in it for the hackers? I do understand that you guys have more ethical hackers than black hats out there are out there, they're new assistants, which is good to know. But, what's in it? You know, from a bounty perspective for the hackers that work with you. >> We believe we're creating meaningful economic opportunity for, for hackers out there. We've had over a dozen hackers that have made a million dollars on the platform helping customers. But more importantly, it maps to how you want to develop your skillset. As hackers, a big part of the cyber security workforce challenge is these unrealistic job expectations that require every security engineer to be a Jack of all trades and work across 10 different product teams and master all of these skills. Whereas this model allows hackers to specialize. You can be a specialist in a very particular piece of technology and apply that specialization across everyone that depends upon it, and focus on what you can do best without dealing with the office politics or the unrealistic job expectations of what's needed in a modern school professional. It's one of the most painful things about the security community is you'll, you'll look at junior entry-level job descriptions for security engineers that already require five years of experience and expertise in 10 different technologies, which is just it's unrealistic. You're you're not going to find it. You don't want to, to be that individual. But it's also, it's back to what we were talking about earlier. It's trying to ask to find unicorns for roles that are just not in line with how modern software is built. And so I think for that, for the hacker community, what we hope we're doing is we hope we're creating meaningful economic opportunity. We're also hope we're enabling folks to develop and contribute to society with their skills in a way that they would like to. >> Awesome. Alex, thank you so much for joining me today, giving me kind of a background on what HackerOne's doing, what you're doing for AWS, the opportunities what's in it for me as a customer, what's in it for me as an ethical hacker. It's been great having you on the program. >> Thank you very much. Take care. >> This has been our coverage of the AWS startup showcase new breakthroughs in DevOps, data analytics and cloud management tools for Alex Rice. I'm Lisa Martin. Thanks for watching. (music)