Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Crowdsourced vs. Traditional Pen Testing
Newest First  |  Oldest First  |  Threaded View
jayd3e
50%
50%
jayd3e,
User Rank: Apprentice
5/18/2019 | 7:02:46 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any particular reason?  We have been using Synack for a while now and have found their team to professional, their service well-designed, and their security reasearchers to be top notch.  We look at the options you mentioned and ended up going with Synack.
jayd3e
50%
50%
jayd3e,
User Rank: Apprentice
5/18/2019 | 6:59:31 AM
Re: Bug bounty program and maturity
Interesting post.  I noticed that you did not include Synack in your list of providers.  Any specific reason?  We have seen a lot of benefit from using Synack and have found their team to be professional, their service well-designed, and their security researchers to be some of the best in the world.
Arkada
100%
0%
Arkada,
User Rank: Author
4/5/2019 | 4:36:28 AM
Re: Interesting, but maybe missing some key points...
Thanks for your comment. All valid points. Crowdsourced security isn't mutually exclusive to traditional pentesting but due to the cost it depends entirely on budget. Like you point out, many 'crowdsourced' pentesters have a day job - I myself am CISO during the day and crowdsourced hacker by night but the advantages you point are valid - a crowdsourced tester will literally have all the time in the world to find a vulnerability, but more importantly you'll get a nice proof of concept on how the vulnerability can be exploited in a real world scenario, which is where crowdsourced pentesting shines. Personally I tired of reading 'traditional' pentesting reports filled with 'your system is out of date, it's vulnerable' - when I enquire as to 'why?' it either gets taken off the report or I get a stock answer 'we prefer to play it safe!'. 
Arkada
50%
50%
Arkada,
User Rank: Author
4/5/2019 | 4:32:57 AM
Re: Bug bounty program and maturity
Thanks for your comment. My take is yes, you do need a more a more 'mature' security level by virtue of the fact that you'll end up paying lots of bounties out to researchers for vulnerabilities that you could have discovered yourself. You need to be at least running regular web application scans and had a few pentests so that you've picked all the 'low hanging fruit' from your application then probably engage a crowdsourced test so that you can pick up the more esoteric ones that aren't going to be found in a pentest. This is if you had a nice fat budget you can use both traditional and crowdsourced in conjunction which each other - they aren't mutually exclusive.
Arkada
50%
50%
Arkada,
User Rank: Author
4/5/2019 | 4:30:52 AM
Re: Missed synack from that list
Thanks for your comment. You're right, there are a quite a few more platforms, I am myself a member of the Synack Red Team also so it is a valid point. Cobalt, Federacy, Yogosha, and even Hacken are all platforms to an extent, I just didn't want this article to become more vendor focused so I picked the 'big two'. 
KevinStanley
50%
50%
KevinStanley,
User Rank: Apprentice
3/25/2019 | 12:53:20 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion.
KevinStanley
50%
50%
KevinStanley,
User Rank: Apprentice
3/25/2019 | 12:52:27 PM
Re: Bug bounty program and maturity
Agreed. Some key points are missing in my opinion
nologic
100%
0%
nologic,
User Rank: Apprentice
3/19/2019 | 8:11:16 PM
Missed synack from that list
Enjoyed the article! I think it's worth mentioning Synack on that list as well. I've worked on their platform. They do a good job at motivating researchers by paying out nice bounties, picking up interesting targets, respecting researchers and, of course, throwing great parties. In general through, these models are great for researchers who want to have more freedom in their day to day activities. A regular pentesting firm will have it's own approaches which may create friction for an individual contributor. Especially, in today's cyber security talent shortage, I feel like it's a good time to be a hacker on Synack's platform or the others that you've mentioned.
CISO Dave
100%
0%
CISO Dave,
User Rank: Apprentice
3/19/2019 | 6:44:13 PM
Interesting, but maybe missing some key points...
Interesting read Alex, thanks. I think on the whole you make some really valid points, but I think that maybe there are a couple of points worthy of highlighting. For me, Crowd sourced testing isn't a direct replacement for traditional pen testing. I think it offers an alternative, more dynamic way of performing more "real life" scenarios to the testing regime. You touch on the fact that traditional pen testing can be routine and not always providing the insight - that is what I like about the crowdsourced testing approach...I get to see a vulnerability and how it can be exploited in the real world. I too have had vulnerabilities highlighted by crowd sourced testers that have gone unnoticed for many years through our traditional pen test approach. I'm not sure how we would ever had seen it had it not been for the "independent" tester who was looking for his reward. Whilst I recognise that running crowd sourced programs internally can be challenging for the lack of reward, what I have seen (with people like Synack) is that their testers often have a day-job and use their personal motivation and drive to test themselves (and ultimately generate rewards) outside of their 9-5 work. I think the crowd source model is evolving too - again, using Synack as an example, they are looking at moving into the compliance space (through their Missions program) as well as creating indicators on your capability and speed to respond and remdiate the vulnerabilities they identify. These to me offer some additional value add that I wouldn't necessarily get from traditional pen test firms. But, as I say, the use of traditional pen testing still plays an important role in testing our estate and driving us to improve the security posture of the organisation, but I do believe there is a real market for good quality, robust crowd sourced testing to work alongside this.
pborghesi
50%
50%
pborghesi,
User Rank: Apprentice
3/19/2019 | 6:39:42 PM
Bug bounty program and maturity
Interesting post. However I had a discussion with my colleagues, and they state that before undertaking a bug bounty program you need to have a very mature security level or it can be too "risky". What is your take on that?


US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.