At RSA Conference 2022, HackerOne announced OpenASM, an initiative that combines scan data from customers’ attack surface management (ASM) tools with security testing efforts.
Attack surface scans can be used to better set scopes for bug bounties, penetration tests, and vulnerability disclosure programs. In addition, ethical hackers can enrich, risk rank, and prioritize assets, helping organizations reduce risk more effectively.
At the core of the initiative is HackerOne Assets, itself an ASM product and integrated into the HackerOne Platform. Scan data from many ASM products can be imported into the asset database at the core of the HackerOne Platform. OpenASM will initially support AssetNote, Darktrace (Cybersprint), Hadrian, Palo Alto Cortex Xpanse, and Project Discovery. OpenASM will also support CSV and JSON import for customers with homegrown attack surface inventory tools. Additionally, HackerOne is working with its partner, SecurityScorecard, on how to deal with the extended supply chain attack surface.
Behind this initiative is research from HackerOne on the existence of an attack resistance gap between what organizations can protect and what they need to protect. One-third of organizations said they monitor less than 75% of their attack surface and almost 20% believe that over half of their attack surface is unknown or not observable. OpenASM reduces the likelihood of missing critical issues by eliminating the need for manual or outmoded asset inventory and automates defining testing scope.
“OpenASM increases the value of customers’ established ASM tools,” explained Ashish Warty, SVP of Engineering at HackerOne. “Our customers often use more than one ASM vendor and need to unify the data from those vendors to expand the scope for penetration tests, security assessments, and bug bounties. Ethical hackers can then enrich and triage the attack surface data, freeing up internal resources and giving organizations a better picture of their risk.”
“We look forward to furthering our collaboration with HackerOne to help organizations understand their extended attack surface,” said Alex Rich, VP of Alliances at SecurityScorecard. “Our recently-launched Attack Surface Intelligence (ASI) module helps security teams leverage SecurityScorecard’s rich data lake to visualize their attack surface, including third-party vendors, and prioritize their most critical vulnerabilities”
“OpenASM is another way HackerOne shows its commitment to building an innovative and synergetic security ecosystem,” said Rogier Fischer, CEO of Hadrian. “It is an amazing opportunity to provide the best value to our shared customers. Combining the expertise of millions of security experts with Hadrian’s automation platform and large datasets, gives the customer more, and higher quality, insights into their security posture.”
OpenASM will also be a feature of HackerOne’s new Assets product that will be available later this year.