(theme music) >> Okay, welcome back everyone, theCUBE's live coverage here in Boston, Massachusetts for AWS re:Inforce '22. Big show for ground security, Amazon re:Invent's coming up. That's the big event of all time for AWS. re:MARS was another one, re:Inforce, the re:Shows, they call them, theCUBE's got you covered. I'm John Furrier, host of theCUBE with Dave Vellante, who's in an analyst session right now. He'll be back shortly. We've got 2 great guests from an amazing company, HackerOne, been on theCUBE many times, (mumbles) Marten Mickos, of course, a big time, (mumbles) We got two great guests. Sean Ryan, Sr. Principal Product Marketing Manager Will Kapcio, Senior Sales Engineer. Gents, welcome to theCUBE. >> Thanks for having us John. >> So Marten's been on many times, he's such a character. He's such a legend. >> Yeah. >> Your company has had great traction, great community, just this phenomenal example of community meets technology and problem solver. >> Yeah. >> He's been part of that organization. Here at re:Inforce they're just kind of getting wind of it now, right? You hear an open, teamwork, breaking down the silos, a big theme is this whole idea of open community, but yet be hardcore with the security. It's been a big part of the re:Inforce. What do you guys think of the show so far? >> Loving it. Partly too, we're both local here in the Boston area. So the commute was pretty nice. (everyone laughs) And the heat wave broke the other day so that's wonderful, but yeah, great show. It's good to be back in person doing this kind of stuff and just, it's really lively. You get a lot of good energy. We've had a bunch of people stopping by trying to learn what we're all about and so, it's really fun. Great show so far. >> And you guys have a great company. Take a minute to explain for the folks who may not know HackerOne. Tell them what you guys do real quick in one minute. >> Okay, the quick elevator pitch. (chuckles) So really we're making the internet safer using a community of ethical hackers. And so our platform enables that so we can skill match the best talent that's out there around the world to help find all the vulnerabilities that your company needs to discover. So you can plug those holes and keep yourself safe. >> So in an era of a talent gap, Will, you know the technologies out there, but sometimes the skills are not there. So you guys can feel the void kind of a crowdsourced vibe, right? >> Yeah, exactly. If you're trying to build a security program, and apply defense in depth, we offer a terrific way to engage additional security talent either because you can't hire enough or your team is simply overloaded, too much to do, so. >> Hackers like to be a little bit, white hat hackers like to be independent, might want some flexibility in their schedule, live around the world. >> Yes. No question for hackers that do it full time, that do it part-time and then everything in between. >> Well, you guys are in the middle here with some real products. So talk about what's going on here. How vulnerable are the surface areas in organizations that you're seeing? >> Yeah, probably more so than you would think. So we ran a survey earlier this year, 800 security and IT professionals across North America and Europe. And one of the findings from that survey was that nearly a third, actually over a third, 37% of the attack surfaces, not secured. Some of it's not even known. They don't know what they don't know. They just have this entire area. And you can imagine, I mean there's a lot of reasons you know, real legitimate reasons that this happens. One of those really being that we don't know what we don't know. We haven't scanned our attack surface. >> And also it's about a decade of no perimeter anymore. >> Yes. >> Welcome to the cloud. >> For sure. Absolutely. And people are moving quick, right? You know, the Cloud perfect example. Cloud people are building new applications on top of these new underlying configurations happening on a constant basis. Acquisitions, you know, that's just a fast moving thing. Nobody can keep track of it. There's a lot of different skill sets you need you know. And yeah, skill shortage out there too. As we talked about. >> What's the attacker solution you guys have? You guys have this HackerOne attack resistance component, what's that about? >> That's right. So that is to solve what we call the attack resistance gap. So that area that's not protected, hasn't been secured, on top of just not knowing what those assets are, or how vulnerable they are. The other thing that happens is people are sort of doing status quo testing, or they're not able to keep up with effective testing. So scanners are great. They can catch common vulnerabilities, but they're not going to catch those really hard to find vulnerabilities. The thing that the really sophisticated attackers are going to go after. >> Yeah. >> So we use... This large community that we have of ethical hackers around the world to be able to skill match them and get them doing bug bounties, doing pen tests, really bulletproofing the organization, and helping them risk-rank what they find. >> Yeah. >> Triage these, do the retesting, you know, get it very secure. So that's how we do it on a high level. Will, you might have a-- >> Yeah. I mean there's a tremendous amount of automation out there, right? But you can't quite at least not yet replace critical thinking. >> Yeah. >> From smart security minds. So HackerOne has a number of solutions where we can apply those minds in different ways at different parts of the software life cycle at different cadences, to fit our customers' needs, to fit their security needs, and make sure that there's more complete human coverage throughout their software lifecycle, and not just automation. >> Yeah. I think that's a great point, Will and Sean, because you think about open source is like not only grown significantly, it's like's it is the software industry. If you believe that, which I do. Open source is there it's all software free. The integration is creating a DevOps movement that's going the whole level. So Devs are doing great. They're pumping out codes. In fact, I heard a quote here on theCUBE earlier this morning from the CTO Sequence Security that said: "Shift left but shield right." So shifting left is build your security into the code, but still you got to have a shield. You guys have this shielding capability with your attack module management service. So you now you got the Devs thinking: "I got to get better security native" So but they're pumping out so much code. >> Yep. >> There's more use cases, so there's going to be code reviews needed for stuff that she said, "What is this? We got to code review new stuff. A developer created something." >> Yes. >> I mean, that's what happened. That's what's going on everywhere, right? >> Exactly. We often hear that for every 100 developers, you've got one security professional. (John laughs) You know, talk about skill shortage that's just not sustainable. How are you going to keep up with that? >> Yeah. >> So-- >> Your phone is ringing off the hook. There's no phones anymore, but like technically-- >> Yeah, yeah, exactly. So, you know, yeah, you need to go external find some experts who can help you figure that out, and keep up with that cadence, you know keeps going and going. >> So, HackerOne. I love the ethical thing. I mean, you know, I'm a big fan. Everyone who watches theCUBE knows I'm a big fan of Marten and your company, but it's not just bug bounties that you do. That's just people think of, they see that in the news. "Oh, I made a million dollars from saving Microsoft teams from being exploited" or something like that, or weird things big numbers. But you do more than that. There's code reviews, there's assessments, like a variety of different things, right? >> Yes, exactly. Exactly. >> What are the hottest areas? >> Yeah, I mean, that's exactly why we coined the term, Attack Resistance Management really is to help describe all those areas that we cover, so you're right, bug bounty is our flagship product. It's what we're best known for. And it's a terrific solution. But on top of that, we're able to layer things like vulnerability disclosure, pen testing and code review. >> Pen test is actually really important-- >> Attack surface management, you know, a whole suite of complimentary offerings to help you engage these hackers in new and interesting ways. >> Yeah. >> The bug bounty is very popular because it's fun. >> Yeah. >> I mean if your going to work on something... It's fun for the hackers but the white hat hackers, the companies they can see where's my bugs it's the fear of missing out and the fear of getting screwed over. That's the biggest driver, right, you Know-- >> Yes, definitely and we now have a product called assets. So this is attack surface management. And what we're able to do with that is bring that in leverage the ethical hackers to risk-rank. What's your assets out there? How vulnerable are these? What's critical? Feed that in, and then you know, as Will was saying we've got all kinds of different testing options. Sometimes bug bounty continuous that works. Sometimes you want pen test, you know, you want it bound. >> Well, the thing about the thing about the pen test, well the soccer report, Amazon's got soccer reports but pen test is a moving train. >> Yeah >> Cause if you're pushing new code, you got to pen test it all the time. It's not a one and done. >> Exactly. >> You got to keep it running. Just one and run, right? >> You can't do the old school penetration test once a year, big monolithic thing. You know, this is just a check the box for compliances like, no, you need to be focusing this on the assets that you're releasing, which are constantly changing. And doing ongoing smaller cadences of pen testing. >> I had someone at a conference had a few cocktails in them, confessed to me, that they forged a pen test report. >> Oh man. >> Wow! (everyone laughs) >> Because he's like, "Oh! It was three months ago. Don't Worry about it." Like, but a lot can happen in three months. No, this is reality, they are like, "I can't turn it around fast enough" They had an Apsec review... >> Yeah. >> In their company and... >> And that's it. >> I mean, I'm not saying everyone's doing bad behavior, but like people can look the other way that creates more vulnerabilities. >> It can happen. And even just that time space. Let's say you're only doing a pen test once a year or once every two years. That's a long time. It's a lot of dwell time, you can have an attacker inside mulling around your network. >> All right. So we get a big service here. This one, AWS, we're here at re:Inforce the trend that you see Amazon getting closer to the ecosystem, lot more integration. How are you guys taking HackerOne's attack surface area product management software, closer to Amazon? What's going involved? Because at the end of the day they're enabling a lot of value and their partners are growing and becoming platforms within of themselves. What is the connection with Amazon? Keeping those apps running? How do you guys do that? >> Yeah. So we've got a specific assessment type for AWS. So... On the one hand, we're bringing in the right group of ethical hack hackers who are AWS certified. They have the right skillset, we're matching them. We've got the right assessment type for them to be able to track against and find the right vulnerabilities, report on those. So this is our pen test offering geared particularly towards the AWS platform. And then we also have an AWS security hub integration. So if customers are using the AWS security hub, we can plug into that, feed that information. And that gets more to it, the defense and depth for your AWS. >> And you guys verify all the ethical hackers? Everything's verified? >> Oh yes, absolutely. Fully. >> Yep. So they're verified for their pen testing experience, and skills and of course their AWS skills in particular. And their work experience, making sure that it's long enough that it's good, background check, the whole nine, so. >> How far has Amazon come from your perspective, over the past few years with the security partnerships? I mean their services have grown every year. I mean, every Amazon re:Invent, thousands of new announcements, new services. I mean if they update the DNS server, it's a new thing. Right? So like everything's happening. >> Yeah. >> What's different now? >> It's great to see. I mean, you look around at how many different types of security solutions there are here how many different types of partners, and it just shows you that defense in depth again, it's a really critical thing. Been a wonderful partner for us. I mean that, they're a big fan of us. They tell us that all the time. >> Yeah, 'cause the customers use you. >> Cause they're customers too. Right. Exactly. Exactly. But no, it's, it's been great. So we're looking at, we've got some things on the roadmap, some continued integrations that we look forward to doing with AWS, but you know, again it's a great powerful platform. It gives customers a lot of freedom, but with that freedom comes the responsibility that's needed to actually-- >> Will, what's your take? We hear hybrid security keys, management systems, announced today, encrypt everything, don't have over permissive environments. Obviously they're talking about more platform and that type of stuff >> Absolutely. My take would be, I think our own partnership with the AWS security team is great evidence that they're thinking about the right things. We worked within conjunction with them to develop our pen test methodology. So that combined for proprietary HackerOne platform data and findings across all of our customers that are common issues found in AWS environments with their own knowledge and their own experiences from the AWS security team directly. So it's a pretty powerful checklist that we're able to run through on some of these customers and make sure that all of the most common miss-configurations and such are covered. >> Yeah. They're highly motivated to do that. 'Cause they get blamed for the S3 buckets being kept open. It's not even their fault. >> Right. (crosstalk) >> We got hack over in Amazon. Amazon's terrible! >> Yeah. You know, one of the things we like to talk about is the fact that, you know, cloud is really about automation, right? >> Yeah. >> Yep. >> But you can't automate that human ingenuity the skills that come with an actual human who has the experience and the know how to fix these things. >> It's a lot going on in Amazon. It's always been kind of like, you just described earlier in theCUBE. An erector set, not Lego blocks yet, but still kind of, you still got to build it. It's getting better in the Lego model, but there are challenges in protecting cloud, Will. I mean this is a big part of protecting cloud platforms like AWS. What are some of those challenges? >> I think some of the challenges are the ephemeral nature of the cloud can really result in developers, and you know really business units across an organization spinning up assets that IT or security don't know about. And so that's where things like HackerOne assets in those attack surface management style solutions come into play, trying to identify those assets proactively and make sure that they're receiving some sort of attention from the security team whether it's automated or manual or ideally both. >> You guys got a good solution. So how about the partnership? We got one minute left. Talk about your partnership with AWS. You guys are certified in their security group, with their team and marketplace, right? Talk about some of those things. >> Yeah, we've been in marketplace over a year. We've had that the specific solution that I mentioned the App Pen test for AWS in place and integrated with security hub for some time now. There's some other stats that we could probably share around the ethical hackers that we have working on that. We have a number of certified AWS hackers, who again they have the right skill set for AWS, and they've been a great partner. We are very focused on continuing to work with them, and build out some new offerings going forward. >> Well, you guys have done a great job. Will, tell your team congratulations on the tech side, on the product side, very strong community. You guys had a lot of success. Congratulations! And thanks for sharing on theCUBE, appreciate it. >> Thanks for having us John. >> Thank you for your time-- We're here at re:Inforce where all the access tab is open, it's team oriented, we got cloud scale, data, encryption on everything. Big news coming out of re:Inforce, well, theCUBE's got it covered here. I'm John Furrier, your host. Thanks for watching. We'll be right back with more coverage after this short break. (theme music)