Better safe than sorry was the message behind ‘Meet the hackers’, our workshop on ethical hacking. In the cosy setting of the Mariaburg barn, we got together with Toreon and intigriti to confront those present with the fact that no infrastructure or application is invincible. Of course, we did make sure that everybody finds out how to protect their systems as well as possible.
No data privacy without data security
David Geens, our managing partner, kicked off by stating that there are two types of companies: those who’ve suffered a data breach, and those who don’t yet know that they’ve suffered a data breach. Those in the first group know the problems that a breach can cause, while those unaware of the scale of such a problem had the facts waved in front of them: data security is essential.
Since the consequences after the GDPR came into force are now even greater, David insisted on the importance of security by design. Although security should be at the core of the product, it is too often seen as a side issue, so taking it into account from day one is key.
David’s presentation at Meet The Hackers:
Pentest versus vulnerability scan
Then it was the turn of Toreon’s Sebastien Deleersnyder to explain why penetration testing is necessary for every company. It is more difficult to monitor a system than to breach it, so Toreon reverses the roles. They find the vulnerabilities in your system by conducting penetration tests, after which solutions can be sought.
However, testing a system is not limited to the period before commissioning. Regular tests are mandatory in some sectors, such as companies dealing with credit card data. Penetration tests can also be useful when making a business case, because clear evidence that a hacker can penetrate is certainly more convincing for management than a mere suspicion.
Sebastien’s presentation at Meet The Hackers:
Bug bounty: no cure, no pay?
Bug bounty programs and platforms are particularly popular in the United States, but are also gaining ground in Europe. It’s a great way of constantly testing your infrastructure and applications. Stijn Jans from Intigriti emphasised the importance of looking for errors in a system during every update. Bug bounty platforms are the perfect solution: if an error is found, you pay, whereas in the unlikely event nothing is found, you get off lightly.
Stijn Jans founded Intigriti, a commercial bug bounty platform based on American HackerOne, about a year ago. Companies can offer projects in which hackers search for errors, and the hacker gets a reward depending on the company and how critical any error found is.
Stijn’s presentation at Meet The Hackers:
Three speakers with three different views on data security, but all offering a perspective that is indispensable for maximising the security of your system. You first make sure your system is as secure as possible, then carry out penetration tests and expose it to bug bounty. Together, these significantly reduces the chance of a data breach. The return on such an investment is potentially high, bearing in mind the recent GDPR legislation.