This week we had the pleasure of talking to Laurie Mercer, Security Solutions Engineer at vulnerability coordination and bug bounty platform, HackerOne. Security Engineers are tasked with designing and building systems that remain dependable against malicious cyber attacks, vulnerabilities, and even natural disasters.
To be a security engineer you need a hybrid and knowledge and experience in several areas of IT. These areas include network engineering, system engineering, and security architecture, but other areas of IT may come into play as well.
Laurie started his IT career in software development and transitioned into penetration testing as his interest in IT Security strengthened. Today, Laurie's focus is on responsible disclosure, vulnerability management, and risk reduction. He has worked in several roles including software, security, and education and has a diverse set of professional experiences.
For example, Laurie has worked on government security projects, including projects for the Chinese government, and the British Royal Family. Let us take a look at what Laurie had to say.
How did you get started in the industry?
I’ve been hooked on computers from a young age when I got my very first computer — a blue screen Amstrad!
I spent my teenage years building and breaking Linux boxes and, after reading Computer Science at the University of East Anglia, I began developing software professionally for projects large and small.
At the time I was coding everything from Ruby web apps to real-time communication services in C++STL. This was 3 years after the “Manifesto for Agile Development” was published and engineering practices, while rapidly changing, were still archaic. My first project had as much documentation as code and the system was updated every year, onto physical servers!
My career as an ethical hacker started rather accidentally. I had just returned from a Chinese language course in Kunming, China, when I was approached by a London based boutique consultancy. They were looking for a fast learner with a background in software engineering: if you can learn Chinese in 3 years, then ethical hacking should be a breeze, they said!
I retrained from a builder to a breaker and worked as a pen-tester for several years, alongside visionary researchers like James Forshaw (now ar Google’s Project Zero, the first-ever researcher to be awarded a US$100,000 bug bounty), James Kettle (now head of research at Portswigger) and Black Hat Conference regular, Alex Chapman.
As a “builder turned breaker”, my responsibilities have focused on both testing software and also trying to build security practices into software development teams.
In my current role as a security solutions engineer at HackerOne, I help to run bug bounty programs, coordinating thousands of the world’s best hackers to find vulnerabilities in software developed by companies and open source projects. Rather than having one or two people looking vulnerabilities once or twice a year, we can leverage thousands of people with diverse skill sets to continuously perform security assessments.
Bug bounty programs have become the number one source of high and critical vulnerabilities, and bounties are being paid out daily — some organizations are offering as much US$250,000 for a single critical bug.
What do you think are the biggest cybersecurity challenges the world is facing in 2019?
There are many cybersecurity challenges that we will have to overcome this year, and in the years that follow, but I've come up with three main areas.
As a user, I'm concerned that we put our trust in so many different systems and services every day, both in our personal and professional lives. These services may be incredibly beneficial to us, but how can we trust that they are safe and secure?
The scalability of security capabilities is a major concern. We live in a world where the number of digital services is increasing at a seemingly exponential rate. We need to design systems that scale appropriately to the number of people that will be using them now, but also 10 years from now.
In order to trust organizations to manage our data responsibly, we need to build frameworks for them to prove they are secure. At present, some companies are more transparent than others. Even when a company shares the information, sometimes it's hidden layers and layers deep into a website, making it difficult to access. We need to set expectations for security and a process by which organizations can prove they have met these expectations.
How do you see the cybersecurity industry evolving in the next decade?
Hackers are the immune system of the internet. This immune system will grow to a community of millions of hackers, inclusive of security and IT professionals, hobbyist breakers and builders, developers, CISOs, presidents.
As new technology platforms are invented and adopted, new vulnerabilities will be introduced and discovered. Security will foster more collaboration and transparency will breed trust.
What are some simple steps that organizations can take to secure their data?
Have a Vulnerability Disclosure Program. A study recently conducted by the company I work for, HackerOne, found that 94% of the Forbes Global 2000 do not have known vulnerability disclosure policies. This means that there's no way for good-faith security researchers to report the bugs they find. If more companies implemented a Vulnerability Disclosure Program, the future will be safer for everyone.
Implement continuous security testing. New vulnerabilities are discovered all the time and sometimes things are missed. This is why continuous security testing is a must.
What advice would you give to aspiring ethical hackers and security professionals?
- Go to HackerOne and make a profile!
- Watch the Hacker101 training videos.
- Install Burp: A popular and useful tool for testing web application security.
- Complete the Hacker101 Capture The Flag.
- Report some vulnerabilities!
- Learn to code! There is no point in finding vulnerabilities if we can’t fix them!
Together we can build a safer internet!