Go Break It: Mendix and HackerOne Vulnerability Disclosure Program
Go Break It: Mendix and HackerOne Vulnerability Disclosure Program by Frank Baalbergen
Security is never done.
When you’re in a regular software release cadence like we are at Mendix, making our product as secure as possible is a constant, perpetual goal. Security is about trust. It’s about you trusting us to protect you and your customers. Which is why it’s never just “done.”
This continuous pursuit of trust and protection is why we have pursued so many certifications in recent past. It’s also why we’ve popped open the hood of our product to the vulnerability coordination platform of HackerOne and are implementing a vulnerability disclosure program (VDP).
By opening our product to crowd-sourced security–comprised of 500,000 of the brightest ethical hackers, pentesters, and cyber security research minds in the world–we’ve put into place a security process that ensures the continuous protection and safety of your and your customers’ data. Which is why I’m pleased to announce that, right as of this publishing, our vulnerability disclosure program is public.
What’s fascinating about the world of cyber security is when you’re cracking code, you’re trying to break an engineer’s way of thinking. You try all sorts of ways to do it until the puzzle is solved. Even though our in-house security measures are great, sometimes testing can become an echo chamber if it’s always internal. You know how the engineers work, so you know where to look, and instead of solving the puzzles in different ways, you solve it just the one or two ways that you know.
The more you break it, the more secure you can make it.
One of the biggest benefits of employing HackerOne’s massive community of hackers and infosec experts is diversity. In order to really test the limits of your product’s security, you need to constantly break it to make it better. The diversity of HackerOne’s community ensures that your product can be broke in a myriad of ways. The more you break it, the more secure you can make it.
How it works
According to HackerOne, 1/3 of well-intentioned hackers who uncover security vulnerabilities in enterprise software do not disclose them to organizations, for fear of personal repercussions. We welcome this information. There will always be vulnerabilities, and they will always be found. We want to ensure that the right people find them first. Which is why we are starting the VDP with HackerOne.
The VDP program allows us to uncover unknown assets and establish rules of engagement. It also ensures that we remain compliant with ISO standards and have triage and remediation plans in place.
We’re participating in HackerOne’s Bug Bounty program. This initiative opens up the Mendix Platform in a safe, controlled environment to a community of strongly vetted cybersecurity professionals to find bugs and highlight security exploits and vulnerabilities. In return, these individuals receive compensation and recognition for their work.
The beauty of working with a large community-sourced security platform is that they work with our threat model to report bugs and threats and help respond to them as well.
With HackerOne in our security arsenal, we discover and fix vulnerabilities before they’re exposed to the world.
HackerOne allows us to continuously subject ourselves to security testing. Penetration testing can take a number of days to complete for any given aspect of our product. And even then, you’re just measuring a moment in time, a snap shot. Often times, it just small teams looking for low-severity bugs. With HackerOne’s massive community, we’re giving ourselves continuous security checks to ensure near real-time vulnerability reporting across the software development lifecycle.
What does this mean for you?
No matter how regulated your industry, how highly sensitive your data, you can rest assured that any potential crack in the armor is going to be discovered and resolved before it even becomes an issue.
Using HackerOne allows us to implement more checks and balances in place when we release software. We can apply technical controls in our product. The best part is, just because there’s more security doesn’t mean we slow down. No, we keep the same speed so that you can get the updates and features you need.
Breakers and Makers
When I was growing up, the James Bond film GoldenEye captured my heart. I fell in love with the world of secret agents and the acquiring of top-secret information. Between seeing that movie and now, I’ve cut my teeth in revealing (ethically) security gaps; I’ve obtained a degree in Computer Science; I continue to watch spy films.
Working with HackerOne gives me immense pride. For one, I know our low-code platform is the one of the most secure on the globe. Also, I’m able to give back to a community that’s near and dear to my heart. Through HackerOne, hackers and infosec professionals who may be looking for jobs, looking for new challenges and puzzles to solve, having difficulty finding roles within companies, or simply want to freelance, are able to establish themselves in the cybersecurity world and earn a paycheck doing it. I’m so pleased to be able to harness the talent of the hacker community while also supporting Mendix customers and Makers.
Pentesting is often a reactive game. You build something, you test it. You fix it. That’s not scalable. With HackerOne, not only are we able to have continuous, third-party pentesting, we’re also able to challenge our R&D team to constantly think more proactively about security, and imbue a sense of data protection in every byte of our product.
Another way of thinking
People think that innovation means make something new. But it’s really about thinking differently.
Everyone in the world should implement a responsible disclosure program to ensure the safety of data.
Security is never done. It’s always important to remain vigilant and keep thinking differently. Which is why we’ve gone public with our VDP. Everyone in the world should implement a responsible disclosure program to ensure the safety of data.
Finally, there’s a generalization that all hackers are nefarious. But, ultimately, the world is a good place. The ethical hacker-powered, community-sourced VDP is a step to ensure that your and your customers’ data is protected. Always.
Even if we have to break things to get there.