Company: Safety and Security Things
Client in lead: Hainan Hu
Client's role: Chief Security Officer
We talked with Hainan Hu, Chief Security Officer at ioT company Security and Safety Things (S&ST) - a startup by Bosch. He is responsible for “all things security”. The company runs Zerocopter’s responsible disclosure program and a bug bounty program, and we asked Hu about his experience with Zerocopter.
Hainan Hu, Chief Security Officer at Safety and Security Things
S&ST is responsible for building operating systems for cameras used in the improvement of store flow, analysis to improve traffic and to detect threats like fire arms, unauthorized access and drones that come too close. They also provide cloud solutions to enable the usage of the operating system. “This way, we make sure the whole ecosystem is secure”, says Hu. “It’s not just about ensuring that you’re making your own company more secure, but it goes further. Running a secured business has become a business enabler. If you let (potential) clients know that you are using a responsible disclosure program or running a bug bounty program, it proves to them that you are taking security seriously. Showing you are investing in security leads to new business.”
Proving your business takes security seriously, means investing in programs to keep the software from being breached. One of the programs Zerocopter provides is called a bug bounty. This lets hackers try and penetrate your developed program to get a reward.
Zerocopter runs a bug bounty program for Security and Safety Things. “I’m a big fan of bug bounty programs,” says Hu. “Simply because I believe it is the closest to how a hacker works in daily life. Your product will be tested all over the world, by people with different skills, that see things from different angles. Major internet players (for example Facebook) pay huge amounts of money for bug bounty programs. But even with a small budget, there’s a big return on investment. You set a limited time or a limited budget that you want to reach. If one of those is reached, your program is finished. By that time, a lot of skilled people - in- and outside of Zerocopter - have tested your product. The impression you get with bug bounty is really valuable.”
“This kind of support and understanding is something you rarely get. It’s very impressive.”
Hu: “ Zerocopter is a security researcher driven platform. The people in contact with us are all very good security researchers - this is a gamechanger. Zerocopter knows how a bug bounty program works, but also what a security researcher needs. They understand what a company wants to gain from such a program. This kind of support and understanding is something you rarely get. It’s very impressive.”
According to Hu, there's also a notable change in how security is perceived by businesses: “Before, it would always be seen as a cost-center. Nowadays people realise that it is not just a cost-center. Security can bring us better opportunities and protect our business from future risks.” Hu also thinks that not only businesses should change their view on security, but employees as well. “One time they introduced me on Slack and said: please welcome our new Security Officer! I noticed all the tiny icons underneath the message: icons of cops and alarms. People still think of security professionals as policemen that will stop you because you’re driving too fast. But this is not the type of security I want to bring to a company! The security professionals shall be the people who sit next to you in the same car, and guide you in the right direction so that you can go faster and more securely.”
Hu continues: “In most cases, a security officer will act as an advisor, to let the owner of the business make well-informed decisions. It’s a question of: how much security is enough? The answer is always: just enough. If the security control costs more than the risk itself, then it is not a reasonable solution. It has to be fixed based on context, and you need to take all factors into consideration. That’s why a security team should be more of an advisor: they should make sure you are well informed. There’s not a master key for everyone.”
This change in perception of security professionals and security itself causes an increase in empathy. We no longer laugh at hacked companies, but we rather feel sorry for them.
Hu says: “Not long ago, a big company got hacked. And instead of people pointing to the board of the company, and laughing at them… Nobody was laughing, nobody was pointing. People started to feel sorry for them, because they realised: it could have been us. They understand: we are all on the same side.”
There’s no way around it: “Security is not only going to be important for a company, but it’s actually going to be top of mind in our daily lives as well. We will think of security as an important and essential part of life - just like water.”
In this handout we zoom in on security in Software Development Life Cycles (SDLCs). Why should you have one, and what can you do to improve it?