Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Crowdsourced vs. Traditional Pen Testing
Newest First  |  Oldest First  |  Threaded View
jayd3e
jayd3e,
 User Rank: Apprentice
5/18/2019 | 7:02:46 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any particular reason?  We have been using Synack for a while now and have found their team to professional, their service well-designed, and their security reasearchers to be top notch.  We look at the options you mentioned and ended up going with Synack.
jayd3e
jayd3e,
 User Rank: Apprentice
5/18/2019 | 6:59:31 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any specific reason?  We have seen a lot of benefit from using Synack and have found their team to be professional, their service well-designed, and their security researchers to be some of the best in the world.
Arkada
Arkada,
 User Rank: Author
4/5/2019 | 4:36:28 AM
Re: Interesting, but maybe missing some key points...
Thanks for your comment. All valid points. Crowdsourced security isn't mutually exclusive to traditional pentesting but due to the cost it depends entirely on budget. Like you point out, many 'crowdsourced' pentesters have a day job - I myself am CISO during the day and crowdsourced hacker by night but the advantages you point are valid - a crowdsourced tester will literally have all the time in the world to find a vulnerability, but more importantly you'll get a nice proof of concept on how the vulnerability can be exploited in a real world scenario, which is where crowdsourced pentesting shines. Personally I tired of reading 'traditional' pentesting reports filled with 'your system is out of date, it's vulnerable' - when I enquire as to 'why?' it either gets taken off the report or I get a stock answer 'we prefer to play it safe!'. 
Arkada
Arkada,
 User Rank: Author
4/5/2019 | 4:32:57 AM
Re: Bug bounty program and maturity
Thanks for your comment. My take is yes, you do need a more a more 'mature' security level by virtue of the fact that you'll end up paying lots of bounties out to researchers for vulnerabilities that you could have discovered yourself. You need to be at least running regular web application scans and had a few pentests so that you've picked all the 'low hanging fruit' from your application then probably engage a crowdsourced test so that you can pick up the more esoteric ones that aren't going to be found in a pentest. This is if you had a nice fat budget you can use both traditional and crowdsourced in conjunction which each other - they aren't mutually exclusive.
Arkada
Arkada,
 User Rank: Author
4/5/2019 | 4:30:52 AM
Re: Missed synack from that list
Thanks for your comment. You're right, there are a quite a few more platforms, I am myself a member of the Synack Red Team also so it is a valid point. Cobalt, Federacy, Yogosha, and even Hacken are all platforms to an extent, I just didn't want this article to become more vendor focused so I picked the 'big two'. 
KevinStanley
KevinStanley,
 User Rank: Apprentice
3/25/2019 | 12:53:20 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion.
KevinStanley
KevinStanley,
 User Rank: Apprentice
3/25/2019 | 12:52:27 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion
nologic
nologic,
 User Rank: Apprentice
3/19/2019 | 8:11:16 PM
Missed synack from that list
Enjoyed the article! I think it's worth mentioning Synack on that list as well. I've worked on their platform. They do a good job at motivating researchers by paying out nice bounties, picking up interesting targets, respecting researchers and, of course, throwing great parties. In general through, these models are great for researchers who want to have more freedom in their day to day activities. A regular pentesting firm will have it's own approaches which may create friction for an individual contributor. Especially, in today's cyber security talent shortage, I feel like it's a good time to be a hacker on Synack's platform or the others that you've mentioned.
CISO Dave
CISO Dave,
 User Rank: Apprentice
3/19/2019 | 6:44:13 PM
Interesting, but maybe missing some key points...
Interesting read Alex, thanks. I think on the whole you make some really valid points, but I think that maybe there are a couple of points worthy of highlighting. For me, Crowd sourced testing isn't a direct replacement for traditional pen testing. I think it offers an alternative, more dynamic way of performing more "real life" scenarios to the testing regime. You touch on the fact that traditional pen testing can be routine and not always providing the insight - that is what I like about the crowdsourced testing approach...I get to see a vulnerability and how it can be exploited in the real world. I too have had vulnerabilities highlighted by crowd sourced testers that have gone unnoticed for many years through our traditional pen test approach. I'm not sure how we would ever had seen it had it not been for the "independent" tester who was looking for his reward. Whilst I recognise that running crowd sourced programs internally can be challenging for the lack of reward, what I have seen (with people like Synack) is that their testers often have a day-job and use their personal motivation and drive to test themselves (and ultimately generate rewards) outside of their 9-5 work. I think the crowd source model is evolving too - again, using Synack as an example, they are looking at moving into the compliance space (through their Missions program) as well as creating indicators on your capability and speed to respond and remdiate the vulnerabilities they identify. These to me offer some additional value add that I wouldn't necessarily get from traditional pen test firms. But, as I say, the use of traditional pen testing still plays an important role in testing our estate and driving us to improve the security posture of the organisation, but I do believe there is a real market for good quality, robust crowd sourced testing to work alongside this.
pborghesi
pborghesi,
 User Rank: Apprentice
3/19/2019 | 6:39:42 PM
Bug bounty program and maturity
Interesting post. However I had a discussion with my colleagues, and they state that before undertaking a bug bounty program you need to have a very mature security level or it can be too "risky". What is your take on that?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file