In five years, Mårten Mickos, CEO at HackerOne predicts that we’ll see the first hacker pass the $10 million in earnings mark. With increased competition, he says that bounty prices continue to rise and more and more businesses will be offering these types of programs.
With such an immense opportunity for innovation, it’s clear that we’re going to need ethical hackers to help secure these advances in technology. We spoke to a few members of the global HackerOne community about what they think is happening in the market and what to expect in 2021 and beyond.
Julien Ahrens a.k.a @MrTuxracer; Germany
What do you think will be the biggest threat to businesses in the next year?
We’re going to see an influx of attacks, especially against those who have just begun digitizing. One thing that particularly concerns me is the enormous speed of government institutions, like schools, that are moving everything online. They had to build systems and processes with very little time, which is never a good thing when it comes to security.
What poses the greatest risk next year?
Social engineering these attacks against people who aren’t sufficiently guarded and aware will massively increase because companies won’t have had the time to sufficiently educate their employees about the threat.
Are attitudes to working with hackers becoming more positive?
Absolutely! Due to the growing awareness, especially in the media, of hackers finding and fixing bugs, businesses are becoming more aware of the fact that guys like me could actually help them.
James Kettle a.k.a @albinowax; UK
What’s changed for you this year?
I've seen a significant increase in mitigations against the biggest vulnerability classes. From same-site cookies being enabled by default in browsers, to Amazon releasing HTTP Desync Guardian, hackers are increasingly having to work around roadblocks bigger than poorly-maintained WAF regexes.
What vulnerability trends do you expect to emerge in 2021?
We’ll see more people exploiting discrepancies between multi-server applications, through the likes of request smuggling, parameter pollution and path normalization exploits.
What about new techniques?
There's a long tail of esoteric techniques that hardly anyone bothers with because they can achieve better results using well-understood, lower-effort attacks. As the classic attacks get mitigated and picked off by automated scanners, I think we'll see a gradual trend of hackers embracing the obscure - business logic flaws, race conditions, timing attack and convoluted attack chains in general.
Shubham Shah a.k.a @notnaffy; Australia
What vulnerability trends do you see emerging next year? Anything that is impacting your region specifically?
In APAC, we are still embracing the cloud-first approach and, with the shift to the cloud, I expect to see companies adopting newer technologies to orchestrate the deployment of critical applications and services. With new technologies and methodologies being adopted, there are usually misconfigurations and missteps along the way that may lead to vulnerabilities.
Which industries will be most at risk next year?
As we have seen in the last quarter of 2020, attackers are targeting companies that store critical information (medical records) or host critical infrastructure (hospitals) in order to achieve their goals from ransomware attacks. Unfortunately, I believe this trend will continue, with a total disregard of morals, targeting industries or companies that service the most vulnerable people in our society.
This is a grim outlook on the future, but given the pace of current attackers, I would not be surprised if infrastructure that is critical to our livelihoods is targeted (SCADA systems, Telco's, Healthcare, Education).
How are attitudes to working with hackers changing in your experience?
We are now seeing large corporations embrace security vulnerabilities from researchers as a core part of their security processes. I still think there is a long way to go as there are a large number of organizations that provide critical infrastructure to our communities that have not yet established vulnerability disclosure programs or bug bounties.
Samuel Eng a.k.a @Samengmg; Singapore
What has changed in your hacking experience this year?
Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.
What do you think will be the biggest security threats to businesses and government agencies in the next year?
I still find many authentication bypasses and access control issues, which I think continue to have a significant impact on any company. This will probably continue since the issue is based on the context of the application. Scanners do not pick up these issues hence the need to have experienced and trained eyes looking for them.
What vulnerability trends do you see emerging next year?
OTP bypasses tend to be quite prominent in APAC; 2FA is a compliance requirement that has rapidly emerged in APAC, and this means developers tend to roll out these features quickly but not securely. On the other hand, previously common vulnerabilities such as CSRF or SQL Injection will be reduced due to frameworks adopting secure default settings.
Jack Cable a.k.a. @CableJ; USA
What has been the biggest change in your experience this year?
The past year has seen a sea change in the manner government and election-related organizations engage hackers. With the Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive 20-01, all federal civilian executive branch agencies are now required to launch vulnerability disclosure policies, providing legal protection to security researchers who report vulnerabilities.
This crucial action will allow the government to receive security feedback from outside individuals, enabling agencies to better understand and patch their weaknesses.
Any thoughts on hacker engagement around the US elections?
Both companies and governments around the election have taken steps to engage hackers. The Ohio and Iowa Secretaries of State both launched vulnerability disclosure policies, being the first of many more to come to foster security research on their public election systems.
Likewise, the major voting vendors have all launched vulnerability disclosure policies, which is the first step in repairing traditionally-strained relationships with the hacker community.