Chantal Stekelenburg is Head of Operations for Netherlands-based ethical hacking organisation Zerocopter.
Zerocopter's approach is simple: they hack their customers, from eBay to Air France-KLM, then collect 'bug bounties' for any information security vulnerability they can uncover and report to them.
Chantal spoke to Qualsys to share the wisdom she's picked up from her 4 years of ethical hacking, including:
- The main mistakes businesses make with their information security
- What the future of information security looks like in a world of 'white hat' and 'black hat' hackers
- 3 top tips
Qualsys: How did Zerocopter come together?
Chantal: We formed in 2015, because we saw in the Netherlands there were companies doing pen testing and automated scanning - but not many doing bug bounties.
Getting ethical hackers to hack your company was getting very popular in the United States and China. Zerocopter wanted to bring that approach to Europe.
What we saw was that a lot of European companies were afraid of hackers. There was the stigma of criminal hackers, but not many knew there were also ethical hackers that could really help their security.
We had to take them by the hand and help them through the process of bug bounties, responsible disclosure, Coordinated Vulnerability Disclosure.
In short, hackers find a vulnerability, report it to the company, and together make sure it gets resolved.
Hackers following responsible disclosure don't do it for money. They're happy to get a goody like a t-shirt or a mug.
In pen testing, you're paying a fixed cost by time - 10 or 20 hours - and everything uncovered in that time gets reported.
But for bug bounties, which is our approach, you only pay for vulnerabilities which are actually found. As long as they're valid, and it's something nobody else has found before!
One for the office?
Zerocopter's Office Bug Bounty Game is a light-hearted way to raise awareness of information security risks, from using simple passwords to accepting unknown Excel macros
Qualsys: What's the biggest vulnerability Zerocopter has ever found?
Chantal: I obviously can't share any specific details from our clients. But what I can say is our hackers are sometimes, not very often, able to get into a database full of customer personal information.
That's one of the biggest vulnerabilities we've uncovered. If a criminal hacker were to find that, they could use the personal information of every customer. That's a huge risk.
Obviously, a company is relieved when we find it and it can be fixed.
Qualsys: Can anyone start a bug bounty programme with an ethical hacking group?
Chantal: Our customers are large, mature organisations. That is for a reason.
Before you can start with bug bounties and responsible disclosure, you have to have a certain level of maturity. If you've not done anything about your information security and you start a bug bounty programme, your budget will be blown in 10 minutes.
That's not what we want for our customers. And it's no fun for our hackers either, because those basic flaws could have been uncovered with a vulnerability scanner.
Our hackers are sometimes able to get into a database full of customer personal information.
That's one of the biggest vulnerabilities we've uncovered. If a criminal hacker were to find that, they could use the personal information of every customer. That's a huge risk.
Qualsys: Why have bug bounties become so popular?
Chantal: They only started in the US in about 2010, so they are fairly new.
They're growing because businesses are digitising and seeing the benefits of paying for vulnerabilities rather than by time. And you can pay for different kinds of hackers to get lots of different views of your online scope, which is a big benefit.
That ultimately makes businesses more secure and reliable.
Businesses don't think about security from the start. Security tends to be considered at the end of the process - they're about to go live, they run some pen tests, some vulnerabilities are exposed which need fixing.
And that's it.
Qualsys: Can the war with criminal hackers ever be won? Or is it a constant struggle?
Chantal: There will always be vulnerabilities which can be exploited.
As a world, we are developing so much software and so many web applications. Every day releases are made. So vulnerabilities can never be 100% stamped out.
But what I do think is if organisations embrace ethical hacking, we can work together with them to catch those vulnerabilities and make sure they are getting fixed.
I've been at Zerocopter for 4 years now, and things change by the month. It's changing really, really fast now. Having ethical hackers to keep on top of those changes is really important.
Qualsys: What are the main mistakes you see businesses making with their information security? And what tips can you offer for information security professionals?
Chantal: Businesses develop things like software and web applications, and they don't think about security from the start. Security tends to be considered at the end of the process - they're about to go live, they run some pen tests, some vulnerabilities are exposed which need fixing.
And that's it. And it leaves a lot of holes for hackers to get in.
If security is considered from the start, and the whole development cycle is run with security and privacy in mind, we find that vulnerabilities are much more difficult to find.
That is changing, and more and more businesses are recognising that now.
My tips would be:
1) Train your web developers to be security-conscious from the beginning
2) Rethink your information security strategy. 2 pen tests a year is not going to catch all your vulnerabilities.
3) Think of information security as a continuous process. Consider automated vulnerability scanning - though you only get known vulnerabilities with that - and getting the help of ethical hackers.
Next steps
How's your information security?
Try our free ISO 27001 toolkit.
Share your thoughts on this article