HackerOne Integration

Transcript

All right, so the first thing we’re going to talk about today is our Hacker One integration. And if you’ve not been completely deaf to the industry over the last year and a half, two years, you have definitely been aware of the rise of pen testing as a service. There are many services out there. Hacker One is one that is popular, and the first pen testing is a service integration that PlexTrac is providing. So before I start clicking buttons, Landon, do you have a couple of words on kind of what our approach to this has been? Yeah. Our goal here was to really help you be able to utilize your bug bounty programs or Pen testing as a service tools inside the platform and allow for the same kind of reporting and remediation that you get when you do your traditional Pen testing. That was the main thought process that we went through as we were designing this.

And the value, I think, Sean, will be able to show as you go through. But now you can push your Triage like bug bounty findings or your Pen test service findings from Hacker One into PlexTrac in an automated way. And just one less step for you all as you try and get out of those reporting. And one more bonus of consistency as you try and deliver your message to your internal folks or your customers. Outstanding. So one thing that I do want to point out from the get go is this is an API level integration. There is no documents, exports required, no imports, no parsing.

Once this is available in your instance of Flex Fact, you’re going to have a new feature in your administration control panel called integrations. And so click it into integrations. I have my Hacker One demo set up, but this is one integration in a list. And so we have actually delivered a new framework that’s going to provide the foundation for all of our API integrations going forward. You maybe want to touch on that, landon I do. And so what I’ll do is, for all those who are watching here, I want you to think about this as a pattern. Yes, this is the way that it works to import your bug bounty information or the reports that come from Hacker One.

But this could easily be the way that you get your findings from Snake, or it could easily be the way that you would do an automated integration from a volume management tool or a phone scanner. So this capability or this pattern is something that we’re really leaning heavily into as we continue to invest in our API level integration. So just keep that in mind. And I think, Sean, if I recall, for today, we are going to walk through Hacker One, and we can talk a little bit about how it works with sneak. But the beauty is, when that comes out in the next couple of weeks, it’s going to be the same pattern. It will look very familiar to what we see today, and that is on purpose. Outstanding.

Setting this up is very simple. You throw it a name. This is an arbitrary string, can be whatever you like, because once again, you’re going to have potentially numerous integrations at the API level. So you want to keep them distinct, your username and API key, that’s what you’re going to get from Hacker One. Pretty simple. Pop it in there. And actually, if I go ahead and hit save configure successfully, one thing that I didn’t I was going to actually tear this down.

But what’s really nice is when you do first initially authenticate, you get a nice success message, lets you know everything’s going smoothly. Something else that we’ve heard with our integrations from customers that have existed at the API level with Tenable, which is an existing API integration, is having some sort of in platform method of getting situational awareness on the health of the integration. So part of this new pattern is that we are providing a sync log with these. So if you have questions about the health of the integration, you can simply pop into this sync log and get the success indicators. Hopefully that everything’s going well. If not, you might want to just check your outbound firewall settings. Right.

For the Hacker One integration, we are doing the poll once per hour. All right? And so what is happening is, once per hour, we are going and we are fetching all of the available findings that can be downloaded. We’re going to demonstrate what that looks like coming into a report. But what’s really cool is this other tab here, which is mapping. And Landon, I’m going to let you actually take a moment or two to talk about how the schema works today and where we’re going within the future. Yeah, absolutely. So if you look at any kind of integration, the very first step you need to get through before you think about all the different authentication, etc.

R is what data goes to what. It’s a giant mapping exercise. And frankly, what we’ve learned from our customers and we’ve learned across the market, is not one size does not fit all. And so part of the pattern that we’re deploying here is the ability to have you map one field to another from Hacker One or whatever tool we’re talking about into a PlexTracs finding entity.

This is the way that we are going to handle that kind of mapping going forward. We want it to be as simple as possible, least programming as possible. And then as we continue to invest in our framework, we’re looking at things like, maybe we do more than one unidirectional sync. Maybe it’s bi directional, maybe it’s the other way. So as we continue to invest down the framework, we’re going to see the more capability. Come here. Outstanding.

Well, enough of the set up. Let’s actually see this in action. So getting this data into a report is dead simple. If you are at all familiar with PlexTrac, you know that getting a report created is dead simple itself. I’m just going to call this my Hacker One report from today. No need to set up any additional fields for today, but I’ll go ahead and submit that and we will be in a blank report that we can begin pulling in findings from. So many of you in the past have used the ad findings from tools to bring things in from our static parsers from those XMLs or JSONs or Gambles that you can export from other tools.

But now you have this option for from integrations. So in choosing from integrations, we see that right now it defaults directly to our Hacker One integration because that’s the only one that I’ve got configured. You’ve got a number of filters that are available for you on the left hand side that will allow you to drill in and fetch the data from various Hacker One projects and methods of organization that exists within Hacker One. The filters that you see today, these are unique to how the Hacker One integration works. You’ll see the same sort of pattern, though you may see additional or different filters with other integrations based upon how their organizational structure is in their environment. But with no filters applied, you can see that I have four of these findings that are available for me from Hacker One to pull into my PlexTrac report. So I can grab a few of these and then select that I would like to add these to my report.

And when we do that, you now see that we have brought those into a report, just as if you parse the static integration as well. Now, what’s really cool is if I go back to do that again. So if I go back to add findings from integrations, once again, we’ve got the Hacker One as our integration here. And of course, I did not sacrifice my go to the demo gods. I also forgot to provide my usual disclaimer that we are sharing our beta testing of Hacker One. So don’t be shocked if we see a thing or two that doesn’t quite line up. But what you’ll notice is that I’ve only got two findings available for download right now, and the reason why is I’ve already downloaded the other two doesn’t mean that I can’t redownload them.

They’re not available for me. If I come up here and I unclick this button to show Hacker One reports already added, actually, once again, I’ve got the ones here. These are the ones that I’m going to add now. But you’ve got this filtering so that you can see the ones that you’ve broken or you’ve already pulled into your environment. So adding those additional findings. And now we’re back to all four findings. Everything else from this point forward with the Hack One integration is the same.

You’ve got a finding in your environment, you can edit it, you can enrich it, you can modify it as you see fit. So, Brian, I know back in your day you didn’t have a whole lot of use of pen testing as a service, but I know you got a lot of friends in the community.

What do you see as far as trends out there, as far as being used both in both enterprise and even for consultancies as a service? Well, the problem is, when you have consultancies or enterprise starting to use multiple platforms, they don’t all integrate together, right? They’re not pulling things together. You’ve got to go to multiple locations just to pull together one report. And so that’s where the value, I think, of PlexTrac in this use case comes into play. Is it’s that one throat to rule them all, the one ring to I was going to say throw it to choke, but we’re helping things breathe better, if you will. But, yeah, that’s my thoughts on that.

From what I’ve seen, Brian, is that when organizations are outsourcing some of the work to pentesting service, that they’re being very deliberate. They’re choosing their crown jewel assets, the things that they want continuous testing on, they want someone banging away at because they want to know right away if something is a miss.