Hacking is essentially a creative activity, since it involves knowing how to find bugs in software or computer systems, sometimes very original. Bugs that can sometimes take unexpected paths, such as physically invading data centers or using social engineering techniques.
In many countries, the term “hacker” is now equated with computer pirate … wrongly. The emergence of the term “ethical hacker” restores balance by giving a name to a population of often-forgotten hackers: those who attempt to identify computer bugs without malicious intent. Either for the beauty of the gesture or to close these loopholes before being exploited by cyber criminals.
Roni Carta undoubtedly meets this definition and actively helps companies to find errors in their software and systems. Roni Carta is a bug bounty hunter on the HackerOne site and is also a Senior Security Engineer on the ManoMano site’s Red Team. An interesting journey: “Many organizations encourage ethical hackers to test their code, often through bug bounties,” he explains. “But another phenomenon is beginning to unfold in France: the internalization of these profiles directly into company security teams. »
Bug bounty and pen testing
On the one hand, we find freelancers who participate in bug hunts and are rewarded if successful, and on the other hand, in-company teams responsible for testing the system information (IS) of the organization.
A bug bounty pays hackers based on their discoveries. But is this model effective? “It all depends on the commitment of companies,” notes Roni Carta. “Are they doing these tests because they’re being forced to, or are they doing it to really protect their information system and employees? »
Pentesting operations (penetration tests) can worry companies, who may fear that their IS will be compromised during these tests. “Companies have a keen interest in establishing a relationship of trust between hackers and their services. Texts like the GDPR [Règlement général sur la protection des données, NDLR] Fortunately, it was instrumental in bringing practices like pentesting into the mainstream. Mindsets change. »
IT security still too defensive
Pentesting is now well accepted. However, the internal integration of offensive resources is far from the norm in France. Companies are more used to a defensive than a deliberately offensive approach.
“With ManoMano, the combination of an offensive security team and a bug bounty delivers much better results than traditional approaches,” notes Roni Carta. “Thanks to our bug bounty on HackerOne, we’ve been able to create our own community of ethical hackers, giving us access to a vast knowledge base about attack techniques. »
Favoring the exchange of information, the hacker community itself conducts very effective monitoring, which makes it possible to detect new vulnerabilities and methods of penetration as early as possible. “We need this culture of attack in France. Businesses need to understand the importance of having ethical hackers on their ranks. We must reform this defensive vision to go on the offensive! »