HackerOne

HackBackBetter Sponsorship: Learn What Younger Coders Think About Hackers and Tips for Secure Code Review

hbbt

This blog is broken down into these following sections. Feel free to jump to a piece that interests you!

  • The Why and What of HackBackBetter

  • Young Coder's Views on Hacking

  • Beginner Tips for Secure Code Review 

HBB1


The Why and What of HackBackBetter

HackerOne is proud to announce its sponsorship of HackBackBetter 2023, a high school hackathon tailored for middle and high school students eager to explore the world of software development. The event was held on April 22nd-23rd at Hacker Dojo in Mountain View, CA. By supporting HackBackBetter 2023, we aim to encourage the growth and education of young coders, and align them with the concept of secure code review.

First, we talked to Ruien, the main organizer of the event:

Can you give me a summary of what inspired the event? Who pushed the initiative forward?

So, the thing about hackathons is that most of them became virtual in the past couple of years - still fun, but a lot more about slogging through code and trying to win a couple of virtual prizes than having fun, learning new things, and socializing. I didn’t like that; I wanted people to be there in person and talk to each other, learn from each other, and form some new connections without being separated by a screen! Also, many youths just getting into high school haven’t had the chance to try out a hackathon and are missing out. So, I thought, “I’ll run one just to get more people interested in coding!” 

One of the themes is environmental preservation. How did you incorporate that into this challenge?

We ended up incorporating the theme into the challenge by connecting it to how, throughout COVID, many adverse changes have happened to the environment. It is important to be wary of changes our earth is experiencing. To help with integrating this notion more, Kaylee, a Greenkeepers representative, ran a workshop on how geospatial AI can help with environmental preservation.

Hackathons like HackBackBetter 2023 are crucial in inspiring and nurturing the next generation of coders. These events provide an engaging and supportive environment for students to develop their coding skills, collaborate with others, and explore their passion for technology. At HackerOne, secure code is an essential aspect of software development, and nurturing young talents in this field will contribute to a more secure digital landscape.


Young Coder’s Views on Hacking

We were curious about what image came to mind when these younger coders thought about hackers. So, we asked participants a series of questions to paint a picture for us.

kaylee


Kaylee HackBackBetter Participant

Have you heard of HackerOne before?

No.

What do you know about hackers? What do you think they are like?

Hackers are very driven to create some kind of impact in their passion/area of interest. I see them as people with lots of knowledge and experience.

If you could get paid to help secure a company by hacking it, would you?

Probably, if it’s legal 😆

Did you know code review is a path into cybersecurity?

No.

brian


Brian HackBackBetter Participant

Have you heard of HackerOne before?

No.

What do you know about hackers? What do you think they are like?

I know that hackers are very experienced programmers. Online, it seems like they are secretive people.

If you could get paid to help secure a company by hacking it, would you?

If I could get paid to help secure a company through hacking, I would definitely do so for the fun experience!

Did you know code review is a path into cybersecurity?

I know that code reviews are a fundamental part of cybersecurity and used in every sector of work involving tech.

hbb2


Aiden, Luke, Deep - HackBackBetter Participants

Have you heard of HackerOne before? 

We have heard of HackerOne before; they are a way for businesses to find vulnerabilities in their software by paying rewards to HackerOne volunteers who successfully hack their software.

What do you know about hackers? What do you think they are like?

Anyone can be a hacker; all you need is a computer to reverse-engineer the code you are trying to hack.

If you could get paid to help secure a company by hacking it, would you?

We would all take the opportunity to help secure software by hacking. This allows companies to validate their security measures from people outside the company, which simulates a real-life situation where a person is trying to hack into a company. 

Did you know code review is a path into cybersecurity?

Yes, we did. Code review is a way for people outside the developing team to verify the efficiency and strength of the code.

Takeaways

We appreciate the participants who shared their perspectives on hackers. There are a lot of unknowns regarding public views on hackers. In general, the consensus is that hackers are talented and curious individuals but that anyone with a computer can be one. With time and effort, we at HackerOne believe that too. 

One of Kaylee's answers points out an important issue, the legality of hacking. People still fear hacking because of the stigmatization and repercussions of the past. Jason Haddix's AFK taught us a bit about this history and how far we've come. HackerOne has worked to build a platform for hackers to utilize their skills without this fear. Most of these incredible students hadn't heard about us before, so we hope they will join our ranks one day soon!


Beginner Tips for Secure Code Review

At HackerOne, secure code is an essential aspect of software development, and nurturing young talents in this field will contribute to a more secure digital landscape.

Dan Mateer is the current Senior Director, Customer Success at HackerOne and former COO at PullRequest, a company full of expert coders who provide code review as-a-service. 


Dan Mateer - Senior Director, Customer Success

What skills do you need to do secure code review?

To be an effective, secure code reviewer, you don’t need to know every programming language, framework, library, and tool. Many of the same concepts apply across programming languages; tool-specific idioms and syntax in a programming language you have limited experience with will be easy to pick up once you have a lot of experience with one.

Second, it will benefit you to have an understanding of human nature and tendencies of software developers. You get to know this very well with experience as a developer yourself. For example, there are “shortcuts” that accomplish a goal at the expense of things like performance, maintainability, and security. No ethical developer will purposefully inject a security issue into an application. However, they may write uninspired code when hurried to deploy or not know what they don’t know (general lack of knowledge). Get to know these tendencies. When you can identify things like a few repetitive patterns in an otherwise immaculately abstracted codebase, you can start to look for details around the logic that may have been overlooked - including security issues.

What specific security threats or vulnerabilities do you look for during a code review?

If any security vulnerability is found in software, it can almost always be traced back to an absence of secure coding best practices or a flaw in the source code. One of the most common and recurring things I see and look for is broken access control, things like different or missing permissions checks in 2 or more places for accessing the same resource, or if password reset tokens are generated in a way that would be easy for a human to guess. Another is security misconfiguration - things like exception logging containing sensitive information getting transmitted to 3rd party logging services.

Are there resources you would suggest to begin learning secure code review?

Reviewing code for security flaws should be part of any source code review - be it a peer code review of a pull or merge request or a comprehensive audit of a codebase. And to be an effective code reviewer, you need a good foundation of software engineering experience, especially working alongside other developers on a variety of codebase types. The more mature a codebase is, the more likely you’ll encounter rare and unpredictable security flaws over time. The vulnerabilities exist in logical paths that automated linting tools can’t find.

Static analysis (SAST) tools can be a great learning resource. First, study the pre-existing rules for tools like semgrep, Checkmarx, and SonarSource. These engines catch fairly surface-level security issues, but understanding the rules will help you understand common and recurring security issues found in source code and the conceptual pitfalls they were written to help developers avoid.

Can you give an example of a time when you found a security issue during a code review and what steps you took to fix it?

The first security vulnerability I fixed was never a security vulnerability because a teammate caught it in a pull request code review before it was merged. I was integrating a licensed 3rd party API and committed the secret key in plaintext to the feature branch. Secret keys need to be protected, and I thought it was! This private repository was accessible only by select employees, and the source code file wouldn’t be visible to end users at runtime. My teammate explained that hardcoded sensitive information would be visible whenever someone clones the repository to a machine. It instead needed to be stored in a secrets manager. Furthermore, because I published the branch to Git, it must be considered compromised and rotated because the commit containing it would persist in Git history.


HackerOne's Commitment to Supporting High School Hackers

HackerOne is dedicated to fostering the growth and education of high school hackers. By sponsoring events like HackBackBetter 2023, we hope to create opportunities for young talents to explore paths in cybersecurity and software development. We recognize the immense potential of these future professionals and are committed to investing in their success. As we continue to support hackathons and educational initiatives, we aim to double down on our efforts to create more hackers!


 

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report