I am pleased to announce Sequoia’s new bug bounty program, which will be an important addition to our security testing program. Before I joined Sequoia, the security team leveraged the following methodologies for application testing:
- Static Application Security Testing (SAST): SAST involves the testing of an application from the inside out. This method includes scanning source code, byte code, or application binaries for vulnerabilities.
- Dynamic Application Security Testing (DAST): DAST is the testing of an application from the outside in. This type of testing is done on a running application using a tool, and in some cases, human expertise is added on top of the penetration testing software.
- Third Party Penetration Testing: This approach leverages an outside firm to test a product as an additional security measure.
All of these testing approaches represent core components of a mature security program. Below, I’ll discuss our approach to DAST and SAST in more detail and why Sequoia has now chosen to partner with a Bug Bounty vendor to supplement our security testing process. I have shared this strategy at other companies and found them effective.
Sequoia’s Approach to SAST and DAST
Sequoia’s approach to security testing has included both SAST and DAST methodologies. From a SAST standpoint, we would regularly scan our source code or application binaries using some of the leading scanning products while leveraging a security engineer to validate the scanner’s results.
Our approach to DAST scanning is equally important. Sequoia uses industry-leading tools to dynamically test our products. The benefit of DAST is that it allows us to identify the most common security issues in a platform. Like SAST results, DAST findings must be validated by a security engineer.
Both SAST and DAST methodologies required significant time from security experts to validate the reported vulnerabilities. Even with significant tuning, security engineers still are required to validate false positives.
Third Party Application Testing
In addition to running our own tools, Sequoia engages a third-party vendor to perform the same testing. Third party application testing companies utilize a combination of skilled security teams, customized scanning tools, and proprietary methodologies to test applications, and to further enhance the effectiveness of external testing, we rotate vendors periodically to benefit from different approaches. Results from these tests can be applied in a variety of ways, but we use them to assure our customers that we have done a reasonable amount of testing on our software.
While using a pen-testing firm is an important component of any company’s security program, companies should be aware that there are some potential limitations as well:
- A Uniform Testing Approach: A pen-test firm may use a particular approach to testing over time, and that approach may not provide a comprehensive test.
- Testing Fatigue: The individual testers can get too comfortable with your application and begin to make assumptions from previous tests. They may not thoroughly test areas of the software that they deemed secure in a prior test.
- Windows of Exposure: The costs of these tests are significant, so most companies will perform the tests annually. This leaves a lot of time between tests where vulnerabilities could be introduced into your source code.
- Humans Alone Cannot Scale: Testing companies, just like internal security teams, are limited to the skillset of their employees. There are too many technologies to have an expert in all application areas.
Crowdsourcing Security Testing
Given the factors above, at Sequoia, we have decided to enhance our security program further by leveraging a crowdsourcing approach. Crowdsourced security testing via a bug bounty program is a popular approach to testing. Introducing an additional layer of testing allows a broader scope of individuals with different skills to test your software. Many companies offer a bounty for security vulnerabilities reported by their users. This approach incentivizes more people to find issues that can be eliminated.
I am pleased to announce Sequoia’s partnership with HackerOne to run our private Bug Bounty program and offer a structured approach to crowdsourced testing. Their approach includes:
- Highly-skilled researchers (testers) – HackerOne’s model is to provide researchers that they vet for skill and trustworthiness before they’re admitted to the platform. Since HackerOne selects researchers based on areas of expertise, they have the ability to more comprehensively offer diverse skillsets.
- Actionable results, not alerts – HackerOne’s services includes having their own internal operations team review results before they are shared with the Sequoia team. This helps to eliminate false positives so that more attention can be given to true threats.
As Sequoia’s CISO, I am excited to bring a private Bug Bounty program to our security portfolio. With more security professionals testing our product, we will be able to deliver a higher level of security through a scaled approach for both Sequoia and our clients.
This is not a public bug bounty program. If you are interested in participating, contact HackerOne to be enrolled into their program. We will not accept any submission that are not vetted through HackerOne.
Please feel free to direct questions to security@sequoia.com.