BlueFort turns 18 this month so we thought it would be a good time to speak to one of our founders and joint CEO, Ian Jennings.
Tell us a bit about yourself?
I’m based in Church Crookham in Hampshire and live with my three children, 14, 19 and 21, and a Rhodesian Ridgeback dog called Nala – so when I’m not working I operate a shuttle bus to ferry them all around. I’ve been in the technical and operational side of businesses since I left university.
How did you get started?
I combined Computer Science and Management into a degree at the University of Leeds. Back in those days I had a 386 computer but needed that massive upgrade to a 486 to do Pascal and then C++ programming. I loved the way we learned to communicate immediately using the University’s email system, as the Internet wasn’t publicly used back then (1993)! I had early stints with local government where I ended up running IT change projects such as rolling out TCP/IP Windows Networks – at a time when everyone was using Novell Netware. Even then I knew that the migration approach of keeping one foot in each place was probably a bad idea, and it’s interesting how that approach continues today in other projects I get involved in. From there I joined a company who were focusing on helping enable remote access – pre-internet companies had to install banks of modems and provided US Robotics and 3Com systems, and quickly companies realised that they needed to ramp up security – that was my first involvement with RSA. From there the company grew quickly and was sold, and following a quick stint elsewhere I formed what was called Fortify Security with two business partners, one of whom, Dave Henderson is still with us today as my fellow CEO. Following a very amicable negotiation with an American company called Fortify who were being bought by HP, we agreed to change our name to BlueFort Security.
What’s your role at BlueFort and what does it involve?
I’ve always had a technical and operational slant so I’m responsible for those areas as well as taking a lead on legal and financial matters. We are at a good stage in the development of the company where some of the areas around Identity and Cloud security and becoming even more important challenges for our customers. Without name dropping, we’ve been helping the likes of NatWest Bank, Clifford Chance, and Virgin Media since our inception year, and the iteration of our portfolio has been very important to help customers stay on top of security challenges.
What do you love about your job?
I love to meet customers and help solve their challenges. My background with computer science and business studies has helped me understand the real need behind the technical challenges. Customers can struggle to bridge the technical and business conversation – it needs some translation sometimes, and I do like the challenge of helping communicate the complexities of the technical problems in a business way. Tech solutions don’t always fix business problems, so we must be careful not to do things just because we can. I love having to think on my feet and help in customer workshops.
What do you get up to outside of work?
We love our food and during covid got a pizza oven which is now used for many things including the Sunday roast. I love a good red wine and have been making my way through all the grape varieties. There’s an app called Vineo that helps keep track and makes it easier when ordering out and about – it’s a very handy use of technology! I’ve been restoring an old BMW for a few years, and have found a great use for my 3D printer to get all the needed parts created. I love combining troubleshooting with getting my hands dirty.
What does the future hold?
The next few years we are going to be very busy growing BlueFort – the real challenge is keeping up with market demand. The adversaries are accelerating attacks, and our customers are being placed under huge technical demands trying to keep their identities and systems under their own control, especially where they are transforming with cloud infrastructures. All being well though, in a few years’ time, I’m looking forward to finding somewhere to live by the sea, hopefully a bit warmer. I’d love to get more time to travel the world and experience new cultures. I spent my gap year in the Middle East and loved it, but this time around I don’t want to backpack!
By Josh Neame, CTO, BlueFort Security
For those of us who’ve worked in cybersecurity for a while, vulnerability disclosure programs aren’t new (the first official program launched in the mid-1990s). One could argue they’re just another tool in the armoury of defences that a company may choose to invest in.
Yet to my mind there’s something that makes VDPs a little bit special. First, they are a very effective and efficient way to identify vulnerabilities. But more than that, the driving force behind them is a community of really talented ethical hackers (or security researchers as many now wish to be known as). Often operating out of sight, these software super sleuths make it their mission to track down vulnerabilities in some of the world’s most critical and powerful organisations.
VDP, DOD & MOD
The US Government launched its ‘Hack The Pentagon’ initiative in 2016, opening the door for security researchers to look for vulnerabilities in some of its most prized assets. Since its creation, the program has seen more than 600 ethical hackers invited to find bugs in Department of Defence (DOD) resources, resulting in the disclosure of more than 700 issues so far.
Our very own Ministry of Defence (MOD) has followed suit these past few years launching its own VDP. One could argue that it couldn’t come soon enough as this time last year it was revealed that the MOD had 11 legacy systems at a critical level of risk. To underline how serious it was about the program, it dropped £2.5m into the bug bounty pot to encourage security researchers to dig deep.
Cybersecurity Rock Stars Giving Back
Hackers come in many colours, as this recent article in TechTarget explains. When it comes to VDPs, we’re talking about the white-hatted ones that are law-abiding security specialists that only hack within legally permitted, and usually pre-determined parameters.
Santiago Lopez is arguably one of the most well-known security researchers on the planet. He is famous for being the world’s first millionaire hacker, at just 19. He’s been widely profiled on pretty much all the major media outlets – BBC, Wall Street Journal, and Forbes to name a few. An avid supporter of security researchers the world over, Santiago has built a business based on offering his “secrets, strategies, and methodologies to the community”.
Closer to home there’s Dr Katie Paxton Fear, a lecturer in cybersecurity at Manchester Metropolitan University. Like Santiago, Katie is no stranger to media appearances, and uses her platform to help organisations and individuals alike protect themselves from cybercriminals. This recent Daily Mail video is a cracker!
What actually is a VDP?
A VDP (Vulnerability Disclosure Program) is a structured process that allows security researchers, ethical hackers, and the public to report security vulnerabilities in an organisation’s systems. Like the hackers themselves, VDPs come in all manner of guises. Just as there’s no single universal pre-defined cybersecurity program, VDPs are unique to every individual business. The one common trait they share is that behind every program are security researchers who are looking for security flaws and vulnerabilities in an organisation’s IT infrastructure; all designed to bolster your cybersecurity defences.
VDPs in the context of NIS2
By now we’re all familiar with NIS2, the EU regulatory framework designed to enhance the overall level of cybersecurity across member states. The goal of the framework is to provide a common level of cybersecurity across the European Union, protecting essential services and the digital economy from the growing threat of cyber attacks.
NIS2 is targeted at essential CNI sectors such as energy, transport, banking, and digital infrastructure. However, the scope of the updated directive has widened significantly and now includes a bunch of other critical sectors such as space, waste water, food, and manufacturing. Even IT service providers fall under NIS2’s extended remit!
Article 21 of the directive outlines ten cybersecurity risk management measures to be adopted by in-scope entities. This includes security in network and information systems acquisition, development, and maintenance, as well as vulnerability handling and disclosure.
Specifically, the directive lays out three key attributes that security measures must include which directly relate to a VDP. Broadly speaking these are:
Establishing a VDP that allows security researchers to identify and report vulnerabilities
Have communication channels in place to facilitate responsible disclosure
Ensure that your VDP is integrated into the organisation’s broader risk framework.
What vulnerabilities might be uncovered?
Contrary to what Hollywood will have us believe, (Top 40 Cybersecurity and Hacking Movies) the top ten vulnerabilities reported to customer programs according to HackerOne’s annual Hacker-Powered Security Report) are far from extraordinary. In fact, they’re pretty common. Our old friend Cross-Site Scripting (XSS) tops the charts, closely followed by Information Disclosure, Improper Access Control, and the old chestnut of Misconfiguration. That said, however ordinary these flaws might be, they can still pack a punch. Knowing about them and fixing them before any damage can be done is the name of the VDP game.
Want help getting started?
BlueFort’s methodology of Continuous Cyber Discovery delivers a comprehensive understanding of your tools, assets, policies, and APIs across your entire IT estate – on-premise, in the cloud and hybrid. When it comes to VDPs, we can support you along your journey to creating and delivering a responsible disclosure program, whether that’s a VDP, Bug Bounty, Pen Testing, Red Teaming, or a combination.
If you’re in the CNI sector or any other organisation in scope of NIS2, and you’d like to explore the benefits of a VDP – improved security posture, enhanced reputation through responsible disclosure, and fostering a collaborative relationship with the industry’s software super sleuths – schedule some time in my calendar, drop me an email, or give me a call. You can learn more about VDPs in our latest whitepaper.
