HackerOne Removes Barriers to Strong Security with Okta

Growing far and wide

HackerOne is the #1 hacker-powered pentest & bug bounty platform. It’s mission is to empower the world to build a safer internet. It does this by helping organizations of all sizes—from start-ups to governments—find weak spots in their systems in order to prevent potentially disastrous breaches.

The company does this by managing a bug bounty platform that bridges the gap between independent ethical hackers and HackerOne’s 1,500 customers—which include the U.S. Department of Defense, Singapore Ministry of Defense, Uber, Google, Goldman Sachs, Airbnb, and Starbucks, to name a few. Through this platform, hackers are hired to search for vulnerabilities in exchange for monetary rewards known as bounties.

HackerOne’s success has been driving rapid growth for a couple of years now, beginning with a leap from 60 to 220 employees in just 18 months. With so many new users who need to be up and running on Day 1, the IT team was spending too much time on provisioning and deprovisioning.

“The two most time consuming tasks that generally come to mind is onboarding and offboarding,” says Aaron Zander, head of IT at HackerOne. “They're the most complex things that you do for a user. You have to create a new user, assign all their applications, and then complete some mix of data entry—checking boxes, choosing tools. For offboarding, you have to do the reverse, which is usually far trickier.”

Before working with Okta, the company’s previous SAML provider and source of truth for employee identity required all identity information to be entered manually. HackerOne has to house users in two different instances—one for employees, and one for contractors—and it was difficult to manage both without a single point of truth.

For the company’s lean IT team, it was becoming increasingly difficult to efficiently and securely manage its growing workforce, especially given the limited visibility into user activity.

Guesswork and workarounds

HackerOne alleviated some of this workload by using scripts to build users in their IdP, but it wasn’t enough. Users would automatically receive a handful of apps, but most of the process was still manual.

“The biggest issue was a lack of automation,” says Zander. “People still needed to manually log into a lot of separate applications. And if an administrator didn't know off the top of their head which apps a user would need, they had to look up another similar user to find out. Even then, they were assuming that the two users belonged in the same group for the same reason—and that’s not always correct.”

In order to solve these issues, the company needed to build a centralized, consistent IT infrastructure with a strong identity provider at its core.

“For new tech companies that aren’t rooted into a historic active directory system, identity is often the best place to establish a source of truth for all of your employees,” says Zander. “Even if we moved to a better human resources system, we’d still need something that would provide a holistic view into all our user data.”

Finding the right fit

As the company began searching for an identity partner, it established a number of key requirements. The very nature of HackerOne’s business makes the security of its customers an obvious priority.

“Over 130,000 vulnerabilities have been sourced through our platform,” says Zander. “What it really means for our customers is that we have 130,000 nightmares stored in our databases.”

It’s a massive responsibility that HackerOne has always taken very seriously. But the company also wanted to ensure that an increase in security caused minimal disruption for its employees.

“IT is an interface between human resources, security, and employees,” says Zander. “We link all that together and empower employees to be as efficient as they need to be—within the security boundaries we’ve established to keep our team and our customers safe. At the end of the day, our goal is to make sure that as we grow, our employees are able to do their job at the right pace.”

To maintain productivity, HackerOne would also need to provide employees and contractors with the flexibility to work securely from anywhere. “We need to be able to accomodate people working from different environments, not just a corporate office or a WeWork or a specific location, but their homes too,” says Zander. “Maybe they're traveling. Maybe they're nomadic. We try to enable people to work however they want to work, wherever they want to work.”

The most urgent requirement, however, was a capacity for automation. That’s what ultimately led HackerOne to Okta. The company was considering a number of service providers, but Okta’s uncompromising focus on identity stood out.

“We needed to make sure that identity was always going to be at the forefront of whatever tool we had because that's where the automation was going to come from,” says Zander. “Compared to all the other tools in a similar market space, Okta is continually at the forefront. It’s always trying to improve the ecosystem, and Okta’s user interface maps and works in a way that a lot of people's brains work. Some of the other tools out there don't quite hit that mark.”

A solid user base

After deciding to establish Okta as its identity provider, HackerOne purchased Okta’s Workforce Identity products including Universal Directory, Single Sign-On (SSO), Adaptive Multi-Factor Authentication (MFA), and Lifecycle Management.

The company set up BambooHR as a master, then integrated Universal Directory so that users could be sorted easily into the correct G Suite or Salesforce instance. Then HackerOne’s IT team spent about a month working with multiple departments, especially HR, but also other departments like Sales to establish an identity format that could be used for all current and future employees. Once Lifecycle Management was in place, the company was automatically able to provision users with everything from email and Slack to Box and Salesforce.

The initial overhaul was fairly work-intensive to standardize naming conventions and job titles across the organization, but as Zander says, “Once you get there, you save a lot of headaches on the backend.” Mastering the workstream with BambooHR made a big difference, too. “If you have a human resource services tool, it's really easy to get a list of every single title you have,” says Zander. “If not, you start there and try to match all the people with the same job and completely different titles.”

Introducing this level of consistency made it possible to start establishing rules and policies for provisioning. “Okta brings everything into place for users, based on their identities,” says Zander. “We push to basically every app that we can, and anything that can’t be pushed, we set up for just-in-time provisioning. We only have to manually provision one or two apps now.”

Driving adoption to improve security

Once HackerOne’s users were in the appropriate instances, the company added layers of security to its sign-on process. But it was incredibly important to apply security in a way that reduced IT friction for users.

“When you look at any security tool, you really need to ask what it's bringing to your end user,” says Zander. “Not just, ‘is it helping us meet this compliance standard?’ For example, entering a unique code really quickly while a timer counts down may not be a big deal for the average IT person, but for the average employee, it's really nerve-wracking, and it's not fun.”

At HackerOne, balancing security and usability for employees works a lot like the city planning theory of desired paths, which is built around the idea that people will always take the shortest route to their destination, even if it involves going off the established path.

“We need to avoid illusions of security that don't actually do anything,” says Zander. “Not only do they frustrate our coworkers and our colleagues, but they make us look silly. Instead, we've got to figure out what went wrong. We have to build security and compliance models that match what people are doing. When we fight against desired paths, when we block off the area, we’re never really considering why people were taking these shortcuts in the first place.”

Sometimes, the fix is simple. “Maybe it’s just pushing out a small change to make something easier, or adjusting the length of a session time so people don't timeout every four hours,” says Zander. “Maybe it's extended to eight hours, instead.”

Other times, HackerOne simply embraces what it’s employees are already doing, and finds a way to make that activity or application more secure. “If there's an application that your marketing team bought without you knowing, instead of just saying no to it, maybe you should just pay for the tier that integrates with Single Sign-On, so that it meets your security criteria.”

By setting up Okta’s Single Sign-On, followed by Adaptive MFA, HackerOne not only streamlined the login process, but also added a strong, user-friendly layer of security that didn’t disrupt employees. “If you can start with a push-based multi-factor tool, suddenly fewer people are complaining about how difficult it is to log in to their day-to-day platform—and they tend to be happier.”

HackerOne was also able to eliminate VPNs for 70% of its workforce. “It doesn't matter where you are,” says Zander. “It matters what tools you're using and who you are. Okta allowed us to speed everything up and improve everyone's day-to-day experience, while also increasing our level of security. We stripped away the potential roadblocks that could have come from implementing new security tools, plus we made old roadblocks go away.”

Fewer roadblocks means employees are happy to cooperate with internal security policies, which, in turn, improves the company’s security posture.

This is a huge benefit for HackerOne’s customers, especially since the company is clear that it isn’t using a one-size-fits-all security model. Instead, it implements the most effective security tools for its distinct user environment. For example, the company tries to limit employees to two passwords each and applies MFA every time a user logs in, rather than mandating scheduled password changes.

“We MFA everything, and we never use SMS,” says Zander. “We use push-based authentication instead because that makes it a lot easier to get people to adopt the tools, especially when they’re not used to using MFA all the time.”

“That's better than rotating passwords every 90 days,” says Zander. “The more of us that do that, the better the standards become, and the easier it is for smaller companies with less money to adopt industry best practices.”

Connected, controlled, and consistent

Okta’s flexibility made a significant difference for users as well. The Okta Integration Network makes it easy to securely connect Okta with a massive array of products, so that HackerOne’s IT department can say yes more often to product requests from users.

“The fact that Okta plays well with others is really good,” says Zander. “Okta allows us to bring our preferred tools to market. We're not stuck in one space or another. We can continually improve our own security by evaluating what's out there and moving forward on those tools without having to worry about whether or not they’ll be compatible.”

HackerOne’s integrated, consolidated infrastructure makes it much easier to monitor and track activity as well. Now, administrators can identify a user’s department, job title, office location, employment location, employment status, and apps all in one place.

“The ability to quantify where people were and what they were doing, and then give them the right tools and access levels was really important,” says Zander.

While HackerOne is thrilled with the efficiency and security Okta has enabled, the company appreciates the consistent experience most of all. By applying the same standards to each user, they’re automatically sorted into the right groups, and provided correct access. “It means that when someone starts on a Monday, they get every tool they need on that Monday,” says Zander. “They aren’t spending months waiting for an application.”

This is a major perk for HackerOne, because it means that employees are more productive from the moment they get to work. They have everything they need right away--including apps they may never have received without automated provisioning. This, too, lightens IT’s workload, because they aren’t receiving multiple follow-up calls from employees looking for apps.

“And if we need to remove the apps quickly, we just click ‘deactivate.’ 70% of the user’s tools are turned off automatically and the rest of them come up in a nice list of tasks. It saves a lot of time and worry about what that person might have access to,” Zander explains.

A bigger and better future

Now that HackerOne has a secure, consistent identity framework in place, it’s ready to take another leap forward by expanding its industry footprint.

HackerOne’s logic is that if employees are more excited and motivated by the projects they’re working on, they’ll do an even better job for their customers. “Long-term, we’ll improve the security of our customers and the lives of our employees.”

As HackerOne continues to grow, Okta will be by its side. “We really love working with Okta because we know they get it, and likewise, they know we get what they do,” says Zander. “It's a really cool experience to work with companies that care deeply, and to feel like we share a partnership and mutual trust. We know we have someone to lean on if something scary happens.”

About HackerOne

HackerOne was started by hackers and security leaders who are driven by a passion to empower the world to build a safer internet. Its platform is the industry standard for hacker-powered security. It partners with the global hacker community to surface the most relevant security issues of its customers before criminals can exploit them.