Backblaze is responsible for a huge amount of customer, company, and employee data—in fact, we recently announced that we have more than an exabyte under management. With a huge amount of data, however, comes a huge amount of responsibility to protect that data.
This is why our security team works tirelessly to protect our systems. One of the ways in which they safeguard the data we’ve been entrusted with is by working alongside hackers. But these aren’t just any hackers…
Sometimes Hackers Can Be Good
Although it may sound odd at first, hackers have helped us discover and resolve a number of issues in our systems. This is thanks to Backblaze’s collaboration with HackerOne, a platform that crowdsources white hat hackers to test products and alert companies of security issues when they find them. In return, companies award the hacker a bounty. Bounty amounts are carefully outlined based on severity ratings, so when a vulnerability is discovered, it is awarded based on that bounty structure.
Backblaze + HackerOne
Tim Nufire, Chief Security and Cloud Officer at Backblaze, created the company’s HackerOne program back in March 2015. One of the best things a company of our size can do is incentivize hackers around the world to look at our site to help ensure a secure environment. We can’t afford to onboard several hundred hackers as full-time employees, so by running a program like this, we are leveraging the talent of a very broad, diverse group of researchers, all of whom believe in security and are willing to test our systems in an effort to earn a bounty.
How HackerOne Works
When a hacker finds an issue on our site, backup clients, or any other public endpoint, they file a ticket with our security team. The team reviews the ticket and once they have triaged and confirmed that it is a real issue, they pay the hacker a bounty which depends on the severity of the find. The team then files an internal ticket with the engineering team. Once the engineers fix the issue, the security team will check to make sure that the problem was resolved.
To be extra cautious, the team gets a second set of eyes on the issue by asking the hacker to ensure that the vulnerability no longer exists. Once they agree everything is correct and give us the green light, the issue is closed. If you’re interested in learning even more about this process, check out Backblaze’s public bounty page, which offers even more information on our response efficiency, program statistics, policies, and bounty structure.
Moving from Private to Public
Initially, our program was private, which meant that we only worked with hackers we invited into our program. But in April 2019, our team took the program public. This meant that anyone could join our HackerOne program, find security issues, and earn a bounty.
The reasoning behind our decision to make the program public was simple: the more people we encourage to hack our site, the faster we can find and fix problems. And that’s exactly what happened at Backblaze. Thanks to the good guys on HackerOne we are one step ahead of the bad guys.
Some Issues We Resolve, Some We Contest
Let’s take a look at some examples as we work through two ‘classes’ of bugs typically reported by hackers.
One class of bugs that hackers find is Cross-Site Request Forgery (CSRF) attacks. CSRF attacks attempt to trick users into making unwanted changes such as disabling security features on a website they’re logged into. CSRF attacks specifically target a user’s settings, not their data, since the attacker has no way to see the response to the malicious request. To resolve issues like this, we make changes like adding the SameSite attribute to web pages, among other techniques. Problem solved!
But sometimes making changes on our end isn’t the right response. Another class of “vulnerabilities” that hackers are quick to point out is “Information Disclosure” related to software versions or other system components. However, Backblaze does not see this as a vulnerability. “Security through obscurity” is not good security, so we intentionally make information like this visible and encourage hackers to use it to find holes in our defenses. It’s our belief that, by being as open with our community as possible, we’re more secure than we would be by hiding details about how our systems are configured.
We call attention to these two examples specifically because they underline one of the most interesting aspects of working with HackerOne: deciding when something is truly an issue that needs fixing, and when it is not.
Help Us Decide!
HackerOne has proven to be a great resource to scale our security efforts, but we’re missing one thing: a capable new team member to lead this program at Backblaze! Yes, we are hiring an application security manager.
Among other interesting tasks, whoever fills the role will be responsible for triaging and prioritizing the issues identified through the HackerOne platform. This is a new role for us which was identified as a must-have by our security team because Backblaze is growing quickly.
Security has been our top priority since day one, but as our company scales and the amount of data that we store increases, we need someone who can help us navigate that growth. As Tim Nufire points out, “Growth makes us a bigger target, so we need a stronger defense.”
The application security manager will not only have the opportunity to apply their security knowledge, but they will also have the unique chance to shape a security team at a growing, successful, and sustainable company. We think that sounds pretty exciting.
Who We Are Looking For
If you are someone who has years of experience in the security field, but hasn’t had the chance to take charge and lead a team, then this is your opportunity! We are looking for someone who is an expert in application layer security and is willing to teach us what we don’t know.
We need someone who is not afraid to roll up their sleeves and get to work even when there is no clear direction given. There are a couple of technical skills that we hope the new hire would have (like Burp Suite), but the most important qualities are being hands-on and having organizational management skills. This is because the application security manager will formulate strategy and build a roadmap for the team moving forward. If that excites you as much as it excites us, feel free to send your resume to firstname.lastname@example.org or apply online here.
And of course, we are always looking for more white hat hackers to test our site. If you can’t join us in the office, then join us on HackerOne to help discover and resolve potential vulnerabilities. We look forward to hearing from you!