On the night of 10 March 2023, La Redoute fearlessly joined the Live Hacking Event at RootedCON with its Bug Bounty application to challenge ethical hackers and themselves, what the team found was an incredible environment and a chance to gain insights impossible to get any other way.
Read more on the following interview with Thibault ROSA, Apps Engineering Manager, Nabil NAGOUDI, Incident Response Lead, Tareq MOUFFOK, Cyber Forensic Analyst and Pascal Moulin, CISO of La Redoute.
The Hacker Night at RootedCON was the first Live Hacking Event in which La Redoute participated. Did this event seem relevant to you to improve your level of security?
La Redoute’s security teams found this Live Hacking Event very beneficial. We were confronted with a community of hunters who excelled in their field. We felt a strong spirit of competition, and highly motivated hunters.
We chose to test our mobile application, which was not yet open on our current Bug Bounty* programs with Yogosha.
Being able to challenge a perimeter for the first time with such a large community of hackers was a very good experience.
This allows you to do a lot of cleaning in one evening, to put the spotlight on a relatively new perimeter rich in discoveries : on a total of 24 reports submitted by ethical hackers, 14 were accepted by La Redoute – but fortunately 0 critical!
During the event, ethical hackers demonstrated their skills in identifying vulnerabilities through a combination of techniques and tools, utilizing both laptops and smartphones as their weapons of choice.
Among the arsenal of tools at their disposal, one that played a pivotal role was Burp Suite**. This tool allowed them to intercept and scrutinize the network traffic flowing between their devices and the target website or application, effectively giving them insight into the information being exchanged.
Burp Suite, often a hacker’s best friend, acts as a gateway to uncover potential security flaws.
By capturing this network traffic, the hackers could discern the intricacies of the data transmission, pinpointing areas that may be susceptible to exploit.
But their skill set extended beyond simple data interception; these ethical hackers possessed a keen ability to analyze various facets of the website and mobile application.
One of their strategies involved aligning their efforts with established security frameworks like OWASP (Open Web Application Security Project).
OWASP categorizes a wide array of vulnerabilities and provides a comprehensive guide for security professionals. By adhering to such a framework, the hackers gained a structured approach to identifying potential weak points within the systems they targeted.
However, not every discovery they made during the event could be classified as a confirmed vulnerability.
The fine line between a legitimate vulnerability and a false positive is a challenge faced by security experts.
It’s a reminder that while hacking can expose flaws, it also requires a rigorous process of validation to distinguish between genuine security risks and inconsequential anomalies in their pursuit of vulnerabilities, by La Redoute security team.
What did you think of the vulnerability reports reported by researchers during Hacker Night?
The hunters’ goal was focused on speed and competition so the reports could be less structured than during a Bug Bounty. However, the fluidity of the exchanges related to the Live side of the event, in addition to the tools put in place by Yogosha (a discord to speak with the researchers), allowed us to obtain more information on the vulnerabilities found.
These live exchanges with researchers on our programs were of great interest to La Redoute.
What is the interest for a company to participate in a Live Hacking Event?
As attackers are getting smarter, it becomes essential for a company to innovate in its security and challenge its code and infrastructure.
This kind of event makes it possible to have a base of skills gathered in one place for a limited time, and to push its perimeter to the maximum.
Over the vulnerabilities found by the researchers, we had access to their thought process, which we do not necessarily have in a classic Bug Bounty* program.
As a conclusion, as we decided to really play the game and use our reals live apps – and not a test Environment – this participation was very productive for La Redoute in term of security but also regarding the teamwork improvement by putting different La Redoute team’s members working together on one atypic and exciting event! A good way to experiment the collective intelligence!
* Bug Bounty: program that offers a reward to a person who identifies an error or vulnerability in a computer program or system.
** Burp Suite: software security application used for penetration testing of web applications. Both a free and a paid version of the software are available. The software is developed by the company Port Swigger.