As the cybersecurity landscape continues to expand and hackers grow more sophisticated, CISOs are increasingly turning to crowdsourced security measures, such as Bug Bounty programs and ethical hacking, to find weaknesses in their defenses before cybercriminals do. We talked to Shahar Maor, our own Chief Information Security Officer, to learn more about such programs Fiverr is currently running to help keep our marketplace and our work environment safe.
Hi shahar, first can you tell us a bit about you and about the role of CISO in organizations like Fiverr? Being a Chief Security Officer (CISO) at Fiverr is both super exciting and extremely challenging. Fiverr is a hectic and super dynamic environment with tons of new initiatives. As a CISO, I’m helping support all those initiatives while keeping the company’s assets secure. The same way Fiverr users are a top priority for our business, they are on top of my mind from a security perspective.
How satisfied are you with the level of awareness of information security threats at Fiverr?
Awareness is an ongoing process. Every security training has some kind of “shelf life”. The main challenge as a CISO is to keep employees alert all year long. The best awareness strategy is to perform multiple small training experiences rather than a one time bootcamp. A key factor for success is usually the target audience. Employees must show a high level of curiosity and cooperation in order for this strategy to work well. Fortunately, Fiverr employees show extraordinary care and interest in security. I often get messages with links to interesting security articles from employees from across the organization. Our constant tests of phishing simulations show very good results and I hope that his sense of shared responsibility toward security will continue as we grow.
And do we have more structured processes for employees to get involved and help keep Fiverr protected?
So Last January we launched The Security Guild. The main motivation for the guild was our acknowledgement that A CISO can’t cover the full length of product activities on his own and he needs “boots on the ground” from among the development teams to help him (help them) protect planet Fiverr.
So how many people are on the guild? How did you pick the guild members?
When we thought about creating a security guild we consulted with other companies to better understand what should be the goals of such an entity and what are the main challenges. One of the feedback we got was that we needed strong sponsorship from the executive management. We asked Gil S, who sponsors the security steering committee, to foster this new born establishment. Another input was to appoint a senior dev lead as the guild’s chairman. I was very happy when Harel S accepted the role of guild chairman. Harel had helped us focus on the important goals. He also recruited the guild members, hand picking tech leads and team leads who may fit best. It is important to say that there are many technology employees who take an active role in promoting the security at Fiverr. Although many of them are not part of the guild, I am very grateful to have them. Actually most of the security work is done by employees who were not given a formal security role. Currently we have 11 guild members from various task forces from all dev groups and we hope to add more members in the future.
Do members of the guild get any rewards for the activity (aside from saving the the world of Fiverr, of course…)?
Guild members participate voluntarily. Still, in order to attract them, we have decided to reward them if they achieve certain KPIs, which include participation in 85% of the guild meeting, addressing 100% of all critical vulnerabilities they are accounted for in a timely manner, and others. In exchange for meeting this KPIs, members will be entitled for some perks such as dedicated training in ethical hacking and security tactics, participating in security conferences, recognition in internal channels, a monthly refresher, some exclusive swag and more surprises to come...
And how is the guild helping Fiverr minimize cyber security threats?
The more trained employees we have, the greater security coverage will be. Guild members know their code best. With the proper security training and mindfulness, they can make a huge impact on the overall level of security. As part of our efforts to increase the help we get from the guild members, we plan to add them to design review meetings as guild focal points. We have also started in assigning guild members with security tasks in search for bugs in our code.
And I understand we have a similar program for Fiverr users. How is the Fiverr community helping us keep the marketplace safe?
There's no better way to test your code than to let your users play with it. Fiverr users are constantly challenging our marketplace in search of bugs and weaknesses, and have been doing so since very early days by reporting bugs to customer support. But it was only in January this year that we decided to put an emphasis on a more formal bug bounty program. The main motivation behind it was to increase our visibility into security concerns in our marketplace by allowing real users to perform self and unbiased inspections. Bug bounty programs are very common among the top brands from all sectors. Having a formal program puts Fiverr in the same playground as the other giants and can truly support building higher quality products for our users.
Are the members of our Bug Bounty nominated officially for the part? What qualify users to become Bug Bounty members?
We don’t pick users to take part in the bug bounty program nor promote it on any formal website. On the other end, the security researchers who submit bugs are sometimes veterans of other bug bounty programs from across the internet. The vast majority are Fiverr users. In the last year and a half we have had more than 50 reports on bugs by 31 different reporters. There is no qualification test. Everybody is welcome to search for bugs on our marketplace.
Are the members getting rewarded/credited for their contributions?
In the last 18 months we have given away ~$6000 in rewards. Yes, these guys are no volunteers. They expect to be rewarded for their effort and this is how things should be. As a matter of fact, bug bounty findings may sometimes save tens of thousands of dollars in extra penetration tests by professional 3rd party security firms!
Oh, wow. And how are we handling their findings?
Due to the high level of intimacy of our bug bounty researchers, they often find some very serious bugs. Once reported to us, we work with the amazing Eden S. and the rest of the CS team to quickly verify the bug by trying to reproduce it on our own and report it to the relevant development team. The team is requested to prioritise a fix based on the severity of the bug. Fixing bugs may lead to uncover deeper issues in our code. The more we dig, the more we find and the more secure our code becomes.
All and all, it sounds like we have a solid safety net to rely on! Can you say for conclusion how do such crowdsourced projects like the guild and Bug Bounty contribute to the overall information security in our organization/marketplace?
Bug bounty programs became very popular because they allow security teams to lean on the wisdom of the crowd to protect their organization. While CISOs can be fixated on patterns and frameworks, bounty researchers are free of boundaries and miss-conceptions. Many different researchers have many different points of view, different skills and different objectives for testing Fiverr. The accumulation of so many different perspectives contributes to the versatility of the security tests they run and for the variety of bug report we get. The outcome -A more secure marketplace.
Kommentare