Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Crowdsourced vs. Traditional Pen Testing
Newest First  |  Oldest First  |  Threaded View
jayd3e
50%
50%
jayd3e,
User Rank: Apprentice
5/18/2019 | 7:02:46 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any particular reason?  We have been using Synack for a while now and have found their team to professional, their service well-designed, and their security reasearchers to be top notch.  We look at the options you mentioned and ended up going with Synack.
jayd3e
50%
50%
jayd3e,
User Rank: Apprentice
5/18/2019 | 6:59:31 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any specific reason?  We have seen a lot of benefit from using Synack and have found their team to be professional, their service well-designed, and their security researchers to be some of the best in the world.
Arkada
100%
0%
Arkada,
User Rank: Author
4/5/2019 | 4:36:28 AM
Re: Interesting, but maybe missing some key points...
Thanks for your comment. All valid points. Crowdsourced security isn't mutually exclusive to traditional pentesting but due to the cost it depends entirely on budget. Like you point out, many 'crowdsourced' pentesters have a day job - I myself am CISO during the day and crowdsourced hacker by night but the advantages you point are valid - a crowdsourced tester will literally have all the time in the world to find a vulnerability, but more importantly you'll get a nice proof of concept on how the vulnerability can be exploited in a real world scenario, which is where crowdsourced pentesting shines. Personally I tired of reading 'traditional' pentesting reports filled with 'your system is out of date, it's vulnerable' - when I enquire as to 'why?' it either gets taken off the report or I get a stock answer 'we prefer to play it safe!'. 
Arkada
50%
50%
Arkada,
User Rank: Author
4/5/2019 | 4:32:57 AM
Re: Bug bounty program and maturity
Thanks for your comment. My take is yes, you do need a more a more 'mature' security level by virtue of the fact that you'll end up paying lots of bounties out to researchers for vulnerabilities that you could have discovered yourself. You need to be at least running regular web application scans and had a few pentests so that you've picked all the 'low hanging fruit' from your application then probably engage a crowdsourced test so that you can pick up the more esoteric ones that aren't going to be found in a pentest. This is if you had a nice fat budget you can use both traditional and crowdsourced in conjunction which each other - they aren't mutually exclusive.
Arkada
50%
50%
Arkada,
User Rank: Author
4/5/2019 | 4:30:52 AM
Re: Missed synack from that list
Thanks for your comment. You're right, there are a quite a few more platforms, I am myself a member of the Synack Red Team also so it is a valid point. Cobalt, Federacy, Yogosha, and even Hacken are all platforms to an extent, I just didn't want this article to become more vendor focused so I picked the 'big two'. 
KevinStanley
50%
50%
KevinStanley,
User Rank: Apprentice
3/25/2019 | 12:53:20 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion.
KevinStanley
50%
50%
KevinStanley,
User Rank: Apprentice
3/25/2019 | 12:52:27 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion
nologic
100%
0%
nologic,
User Rank: Apprentice
3/19/2019 | 8:11:16 PM
Missed synack from that list
Enjoyed the article! I think it's worth mentioning Synack on that list as well. I've worked on their platform. They do a good job at motivating researchers by paying out nice bounties, picking up interesting targets, respecting researchers and, of course, throwing great parties. In general through, these models are great for researchers who want to have more freedom in their day to day activities. A regular pentesting firm will have it's own approaches which may create friction for an individual contributor. Especially, in today's cyber security talent shortage, I feel like it's a good time to be a hacker on Synack's platform or the others that you've mentioned.
CISO Dave
100%
0%
CISO Dave,
User Rank: Apprentice
3/19/2019 | 6:44:13 PM
Interesting, but maybe missing some key points...
Interesting read Alex, thanks. I think on the whole you make some really valid points, but I think that maybe there are a couple of points worthy of highlighting. For me, Crowd sourced testing isn't a direct replacement for traditional pen testing. I think it offers an alternative, more dynamic way of performing more "real life" scenarios to the testing regime. You touch on the fact that traditional pen testing can be routine and not always providing the insight - that is what I like about the crowdsourced testing approach...I get to see a vulnerability and how it can be exploited in the real world. I too have had vulnerabilities highlighted by crowd sourced testers that have gone unnoticed for many years through our traditional pen test approach. I'm not sure how we would ever had seen it had it not been for the "independent" tester who was looking for his reward. Whilst I recognise that running crowd sourced programs internally can be challenging for the lack of reward, what I have seen (with people like Synack) is that their testers often have a day-job and use their personal motivation and drive to test themselves (and ultimately generate rewards) outside of their 9-5 work. I think the crowd source model is evolving too - again, using Synack as an example, they are looking at moving into the compliance space (through their Missions program) as well as creating indicators on your capability and speed to respond and remdiate the vulnerabilities they identify. These to me offer some additional value add that I wouldn't necessarily get from traditional pen test firms. But, as I say, the use of traditional pen testing still plays an important role in testing our estate and driving us to improve the security posture of the organisation, but I do believe there is a real market for good quality, robust crowd sourced testing to work alongside this.
pborghesi
50%
50%
pborghesi,
User Rank: Apprentice
3/19/2019 | 6:39:42 PM
Bug bounty program and maturity
Interesting post. However I had a discussion with my colleagues, and they state that before undertaking a bug bounty program you need to have a very mature security level or it can be too "risky". What is your take on that?


When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...