“The most important result of working with Intigriti is that it offers you tangible and actionable results that significantly increase your security maturity.” – Yannick Herrebaut, CISO of Port of Antwerp
About Port of Antwerp
As Europe’s second-largest port, the Port of Antwerp is a major lifeline for the Belgian economy. The Port of Antwerp handles around 231 million tons of international maritime freight annually and is home to Europe’s largest integrated chemical cluster. The Port of Antwerp accounts, directly and indirectly, for a total of 144,000 jobs and more than €19 billion added value.
The challenge: Limitations of traditional security testing methods
True to its mission; a ‘home port as a lever for a sustainable future’ Antwerp’s Port Authority aims to flexibly respond to a rapidly evolving maritime market. As the Cyber Resilience Manager & CISO of Port of Antwerp, Yannick Herrebaut is responsible for building world-class security defenses.
To test the port’s cybersecurity strength, Yannick employed the help of an agency to carry out an annual penetration test (also known as a pentest). Whilst there were some findings, the test didn’t meet all his needs and expectations. Elaborating further, he explains:
The problem with penetration testing is that they focus on your organization’s security during a snapshot of a certain moment in time.
Due to this time constraint, Yannick set out to explore alternatives that would enable him and his team to implement scalable, continuous security testing cost-effectively and sustainably.
The solution: Host a responsible disclosure policy and bug bounty program on Intigriti
Soon into this research, Yannick’s team discovered crowd security testing:
We came into contact with Intigriti after doing some market research. I was instantly intrigued by the concept and requested budget to explore responsible disclosure and bug bounty programs.
Port of Antwerp’s security maturity was already advanced and so it began with a public bug bounty program alongside a responsible disclosure program. To assess the success of the bug bounty program fairly and accurately, Yannick’s team also ran a penetration test for the port in parallel.
Port of Antwerp received 135 vulnerability submissions from security researchers from Intigriti within a few months of launching. This was an encouraging result for Yannick and his team — particularly as the pentest yielded only a handful of vulnerabilities. Yannick explains:
The amount and the quality of the reports from the responsible disclosure program were a lot higher than what was discovered during the pentest, and at the fraction of the cost.
As well as a cost-benefit, Port of Antwerp experienced an increase in vulnerability research, time-saving opportunities, and scalable security testing.
Increased vulnerability research
Through the platform, Yannick and his team can interact directly with the security researcher community. Commenting further on this benefit, Yannick says:
I think the biggest value of working with Intigriti is they have found a fantastic way to combine the security researcher community with the businesses through an extremely user-friendly platform.
Exceptional time-saving through Intigriti’s triage service
Intigriti’s triage process ensures its customers only receive genuine vulnerabilities so that they can decide whether to accept (or reject) the report and start working on a resolution. This security validation process is executed by Intigriti’s in-house Security Analysts. Explaining how this step enables Yannick’s team to work faster and smarter, Yannick shares:
I cannot overstate the importance and the value that the triage team offers to us. The researcher sees or notices something, documents it, and publishes it on the platform. It then goes through the triage team as a quality check before we receive it. Our developers know that any vulnerability that makes it through this step is important and in need of remediation. The value is immense for us.
Yannick’s security team has also benefited from an integration between Intigriti and Port of Antwerp’s in-house ticketing system, meaning they’ve been able to streamline their remediation process further.
Scalable security testing
The Port of Antwerp’s next steps in terms of responsible disclosure and bug bounty is to extend the program to encompass its entire application portfolio. Talking more on the future of Port of Antwerp’s bug bounty program, Yannick says:
“Early on into the program’s launch, we could already see it was a success. For that reason, we decided to go ahead with the program next year, and the years after that!”
Intrigued by what you have read? Want to know more about bug bounty programs? Get in touch to request a demo with a member of our team today.