Development teams are already under stress to innovate faster and in more areas, and that’s just to stay ahead of the competition. It adds even more stress when you start to include the demands of security into their workflow. But with hacker-powered security becoming a must-have for security teams, it’s inevitable that security is more integrated into the software development lifecycle (SDLC). At HackerOne, we’re working to make that integration as seamless as possible.
Innovative organizations like Assembla and GitLab are taking a proactive approach to closing their security gaps by connecting their hacker-powered security programs into their SDLC. Even though bug bounty programs, vulnerability disclosure policies, and hacker-powered pentests identify gaps after code is committed, the resulting vulnerability reports can help developers and engineers identify ways to close future gaps before they’re released.
But nearly every engineering and development team already has a workflow in place, along with the tools necessary to manage that workflow. The more security teams can do to reduce the disruption to the SDLC, the more developers can focus on closing security gaps before they make it through the SDLC. What’s more, working with industry standards and best practices further ensures developers can quickly understand and act on the information presented to them by the security team.
Building on a Standard CWE Foundation
Vulnerability reports on the HackerOne platform are all assigned a type based on the industry-standard Common Weakness Enumeration (CWE). This helps security and development teams use a common language when discussing bug types and the eventual mitigation and prevention tactics. It’s a taxonomy that’s well known and understood and it eliminates the need for a new and potentially confusing set of categorizations.
Using CWE means less time for triage, validation, and prioritization of incoming bug reports. Downstream, it means developers and engineers quickly understand what they’re dealing with. And, it means that bug reports coming from HackerOne can be easily consumed and managed by downstream bug tracking, project management, and ticketing systems already in place.
Integrating with Popular Dev Tools
As bug reports are merged into the SDLC, it’s obviously less disruptive to have that information integrated directly into the tools your developers—and other teams—are already using. These include the aforementioned bug tracking, project management, and ticketing systems, but also version control, repository, collaboration, communication, and support tools.
HackerOne offers pre-built integrations into the most popular tools used across the SDLC, from Jira and Assembla to Bugzilla and MantisBT, to GitLab and GitHub. We also integrate with Slack to remove even more friction when teams are collaborating and communicating as they’re working to fix bugs and close security gaps.
Our Jira integration, for example, syncs information between a HackerOne report and the issue record within Jira. You can then sync workflows from Jira to HackerOne and vice versa, which helps development and security teams stay aligned. It also helps formalize and standardize your process for addressing security vulnerabilities, and helps eliminate any tedious data entry and potential for human error.
Remember, also, that those “other teams” include additional sources from which vulnerability reports might originate. Issues might be identified by customers or by random website visitors unfamiliar with how formal security disclosure processes operate. That generally leaves customer support and customer service to handle incoming reports, which are then typically captured in a related system.
HackerOne also offers integrations with popular customer support systems, such as Freshdesk, ServiceNow, and Zendesk. This helps get potential security issues to the right teams faster and helps customer-facing teams ask the right questions and capture the right information.
APIs for Bug Data How and Where You Like
Beyond integrating bug and report data into your SDLC, it’s important to track the effectiveness of your security efforts. Metrics to track time to resolution, efficiency, severity trends, internal performance, and more can provide valuable information for improving your approach to security and helping developers hone their strategies for reducing vulnerabilities throughout the SDLC.
The HackerOne API provides access to raw vulnerability and report data which allows teams to build custom dashboards. It even works across all apps and can be used to combine data from multiple apps into a single dashboard or report. This gives deeper visibility into the effectiveness of security efforts and allows for ad hoc or custom analysis into your programs.
For example, bug data can be used to determine who to assign to a submission based on the contents of the report and then automatically route each report to the proper owner. Report data can be instantly uploaded into your bug tracker to streamline the process for escalating a bug to your engineering team. Or, raw report data can be used to calculate internal performance metrics for your bug bounty program.
Whatever the case, the HackerOne API gives you unlimited access to all of your submissions and activities. It also enables you to create full backups of your data and move it to other systems for further analysis or utilization.
Integrate HackerOne Into Your SDLC
More and more, SDLC are becoming less linear and more continuous. Feedback from customers, pressure from competitors, and the visibility into and concerns around security are all critical pieces of a technology’s development. Here are just a few areas where the data gleaned from your security efforts can provide value beyond just the resolution of the offending vulnerability:
- Highlight areas where additional developer training might be required.
- Improve development requirements to add security and testing efforts into the process.
- Identify insecure coding practices, architecture risks, design flaws, and other foundational elements that may be contributing to security gaps.
- Opportunities for dynamic testing in sandbox and dev environments for faster feedback loops and less bugs advancing to production.
Vulnerability reports provide a wealth of data on your products and your development process. But only if that data is accessible and put to use.