So you built a red-team, why are you still awake?

One of my highly prioritized goals as CISO of a well funded startup was to build out a red-team — a team of highly skilled security engineers who’s one job is to hack into internal systems. Having descended into the chaos of what I would call an embodiment of the inner workings of an ADHD sufferer, I found it impossible to keep my prized red-team focused on any one system for long enough. This again is a dilemma that someone faces when dealing with Information Security. A Vulnerability Assessment is only as good as all the knowledge and code at that one moment in time when it takes place. A week after the VA, there may be a new bug in the database, a new buggy deployment in the source code or a messed up firewall rule that renders your VA obsolete. Don’t get me wrong, VA’s are absolutely important, it’s just that they are very transient in nature; again the bane of any CISO when he has to explain to the board or shareholders.
The bigger our startup grew, the more like a sitting duck I felt. Developers increased, products increased and soon, my red-team was having scheduling problems with everyone clamoring for a VA before the product launched. We soon began to feel like product blockers. All the good intentions were wiped out because we were not only unable to keep pace with the product launches, but we would also have to send back a fair number of products to their owners for bug fixing and then come re-testing time, there would be no free slots which would mean additional waiting before launch. So on the third consecutive frantic call from a product manager that his product launch is delayed, I retreated to figure out what to do.
There were many ways to solve the problem that I faced, but in the end, I selected one. We take a three step approach:
- Educate: Build an internal knowledge-base of common security issues that we found testing products previously. Document as much as possible and help the developers understand not to repeat these mistakes.
- Big guns for big launches: We would use the red-team to only test the first product deployment and not the re-tests; we prioritize the testing pipeline based on high stakes, high impact projects, higher revenue generating projects.
- Crowdsource the rest: So the crowdsourcing security debate is one that is on-going with a fairly divided camp. I was one of the non-believers in this until I literally had no choice but to try it. So what is it? We would run a bug-bounty on the already live projects continuously and invite security researchers from the globe to attack us and report bugs to us in exchange for a bounty ranging from a t-shirt to several thousand dollars.
While at my startup, we picked a well established, albeit pricey option for running our bug bounty. It worked very well and at the same time I learned a lot. One of the key things I liked about the approach is more than getting all the required security coverage, how the program gave new researchers a platform to perfect their interaction, presentation and reporting skills. Having also worn a consultant hat many years ago, I used to find that all-round security engineers were rare. Almost all of them shied away from talking to people and many of them had difficulty writing reports. As a consultant your customer pays you for a report, they don’t care that you used custom tools or your own 0days when you pwned their systems, they cared how it was presented and how they could take action after. So looking at the bug bounty platforms, I see a tremendous opportunity to help the security engineers starting out.
So after I left the startup, I decided to build my own bug bounty platform. Roping in two of my good friends and fellow Information Security researchers, we set about building it with the idea to launch in Indonesia, Singapore, and Malaysia. With due homage to the red-team, we christened it RedStorm and is due to launch by the end of the year. Having lived in Indonesia for 8 years, I found a tremendous amount of raw talent for Information Security researchers. We’re hoping that we can help to hone this raw talent into well rounded, elite Infosec researchers in the coming years. We want to run it slightly more catered towards the region with emphasis on slightly higher touch engagement where you will get a dedicated program manager almost as an extension to your existing team. I’ll take you through our journey as we launch and share with you what we learn, where we fail, and where we improve.
