“If you can’t beat ‘em, join ‘em,” or so goes the logic of hiring hackers to test system security. Today, the bug bounty space is seeing massive growth as organizations – especially a growing number of retail, financial services and other traditional companies – are turning to crowdsourced testing by hackers to mitigate the expanding threat of attack and to lower the resources needed to protect themselves.
Ashish Gupta, the new CEO of rapidly growing crowdsourced cybersecurity firm, Bugcrowd, spoke with SandHill.com about the increasing acceptance and numerous benefits of relying on bounty-driven “hackers for hire” to secure the systems of major companies around the world.
SandHill.com: How and why has crowdsourced testing become a legitimate practice in the software industry?
Ashish Gupta: Globalization combined with the increasingly digital nature of business has created two opposing forces: the speed of the cloud to bring offerings to market quicker and a substantial dearth of skilled cybersecurity trained resources. These issues are compounded by the fact that most security scanning tools fall well short of the needs of customers. Given the expanding attack surface and the efficiency, skill, and motivation of attackers, these vulnerabilities can lead to massive – and sometimes business-ending – breaches if not identified and patched quickly.
This is where the crowdsourced security and vulnerability assessment model excels. Harnessing the deep, diverse skills of security researchers around the world allows businesses to scale vulnerability identification. And, by providing security researchers the ability to make a living regardless of where they live, businesses are benefiting the global economy. It is a win-win for all.
SandHill.com: What benefits do you see from crowdsourced testing compared to traditional testing methods?
Ashish: Traditional testing is limited to either what is already known (static analysis and scanners) or to efforts limited by time or resources (pentest engagements). There is little doubt that “more is better” when it comes to security. By allowing security researchers with a large and diverse set of skills to test their applications, businesses can take advantage of the collective intelligence of thousands of security researchers for results unattainable by a handful of penetration testing consultants or the structured patterns of automated testing. Crowdsourcing holds the key!
For example, I was recently speaking to a major, worldwide financial services customer and was amazed to learn that in May of this year, Bugcrowd helped them identify the very same vulnerability that reportedly led to the Equifax breach. One of our researchers found this vulnerability and submitted it through our platform, which prioritized it at a level that warranted immediate action by the customer’s engineering team. The happy outcome to this story is that the customer addressed the vulnerability well ahead of any damaging attacks. What if this had gone the other way? Just imagine the potential reputational and financial impact this vulnerability could have caused had our researcher not found this vulnerability.
SandHill.com: What is the biggest challenge that Bugcrowd has overcome to date?
Ashish: Apprehension about letting outside researchers or “hackers” loose on their software is common among organizations. And while we are in many ways still wrangling with “fear of the Crowd” the rapid growth we’ve seen in the enterprise and in more traditional industries such as finance and automotive, has clearly demonstrated that the tide is changing. The reasons for this are threefold.
First: Results. Once organizations see the value of a crowdsourced approach there is no looking back. Tapping into the collective skills of tens of thousands security researchers from around the globe is incredibly effective according to a recent case study.
Second: Skill. One of our mottos at Bugcrowd is “It takes a crowd.” That’s because not only do many of the most critical vulnerabilities out there require human ingenuity to discover, but also because given the rapid development of connected devices, the number of these vulnerabilities is always growing. Our crowd not only provides a breadth and depth of skills, it also continuously evolves these skill.
Third: Our platform. The connective tissue between our customers’ needs and our researchers is our platform. It intelligently connects the right researchers needed for the customer’s use case; it provides a trustworth pathway for our researchers to test customer applications and submit vulnerabilities in a responsible manner; and, it creates an incentive model for both customers and researchers to work together seamlessly.
In time, as we continue to see adoption of this model, these hackers will be thought of as locksmiths: skilled people who use their talents for the good of society. For those that still have still have apprehensions, they can still benefit from a crowdsourced approach through a private program (select set of trusted researchers who have secure access to applications) and working with a skills-vetted, ID-verified or background-checked crowd.
SandHill.com: What do you see as Bugcrowd’s biggest opportunity going forward?
Ashish: Internal security resources are unable to meet the pace of innovation in most organizations today and the diversity of malicious actors that cross-communicate and share capabilities at mind-numbing speeds – increasing attack surfaces and attacker capabilities. There are simply not enough defenders to go around. By connecting these under-resourced organizations with trusted and responsible global research community, Bugcrowd is ultimately helping make the Internet safer.
Security research or”white-hat hacking” is a discipline that is required to keep the Internet safe. The identification, and ultimate remediation of these requires the most up-to-date information and skills. Security researchers are constantly honing their skills, which means bug hunting. Bug bounties not only provide a means to this skill building, they provide a financial reward that enables full-time hunters to make a career of it.
As the attack surface expands and new vulnerabilities are created, our rapidly growing and diverse crowd of researchers provides some of the best and most up-to-date skills to bear. On the flip side, the bug bounty programs we build with our customers give the crowd ample opportunity to further hone these skills.
Our model is built around the successful management of these programs. This means that our expert teams help scope programs for success, working with customers and researchers to ensure programs are attractive to researchers, that these researchers are successful in their submissions, and ultimately that our customers see only real, actionable vulnerabilities – and everyone wins.
Clare Christopher is editor of SandHill.com.