It was few years ago I was associated with one e-commerce company as a security consultant for an implementation program. At that time, I came to know about how important security is for them. All our big bosses, Confidentiality, Integrity and Availability are equally important for their business. At any point of time, if a data breach happens for example if the hackers get access to the saved credit card data, it will have a huge impact to the customers and thereby their reputation. If the website is down for few minutes, that will also result in huge loss.
The main challenge most companies are facing now is the lack of skilled cyber security resources. The company that I was discussing above was not a good pay master hence they dont have skilled resources too. Many of you would argue with me on this, what salary has to do with skilled resources. Imagine having the most luxurious car and a driver who doesn’t drive properly, won’t you be in trouble? Like that, you may have good infrastructure with all advanced threat mitigation solutions, but if you dont have the right skilled resource to drive those, then no use, one day you will be trouble.
Company hired two consultants for Penetration testing and also in parallel got associated with a vendor to perform additional Penetration tests. They used the traditional scanning and testing tools and provided the vulnerability reports with high, medium and low findings and both the reports looked similar. Company paid heavily to the consultants as well as the vendor. After few months, I heard that the company suffered a major attack resulting in many hours of downtime. This was a good awakening thought for me at that time. I have seen the consultants and the vendor doing the assessments to find out the vulnerabilities and all those vulnerabilities have been taken into consideration on priority and closed. This means the vulnerability determination was improper.
Rather than one or two persons looking into a website or application, is there any option to have many researchers or Penetration testers to have a look at my application and find out the loopholes. If the application would have been tested properly, then they could have avoided this business interruption. This is where we should think about Crowdsourcing. Many of you are aware about various websites like Google, Facebook, Paypal award researchers when they find out some vulnerability in their website. In a crowdsourced model, ethical hackers from around the world will test your application and report any vulnerability in return for recognition or a cash reward per vulnerability.
So the big question here is how I can trust those hackers, I am openly allowing unknown hackers to test my organisation’s systems and that also could lead to a real compromise. In case if they find vulnerability and do not inform me back, it would be a problem for me because on a later time this hacker can exploit those. However If we go for the traditional penetration tests, you trust a vendor and as I mentioned above, they use the traditional scanners and other tools to generate a report and you are paying for it. How sure are you that they won’t use this penetration test for any malicious activity?
If we decide to go for a crowdsourced model, I have the below questions.
- How can I find these qualified researchers?
- How can I ensure they are real ethical hackers?
- Who will take the liability in case of any damages caused by the tests performed by those researchers?
- How will I verify the findings are valid and are in scope?
This is where we should think about a crowdsourcing provider. By engaging a crowdsourcing provider, they will help you in finding good researchers all around the world who can help you in testing your application and finding out vulnerabilities. They also will validate the identity of the ethical hackers and screen their background. We can go for a contractual agreement with our crowdsourcing provider so that damages or liabilities can be covered. This helps in getting necessary legal recourse when things go wrong.
Bugcrowd is one of the leading crowdsourcing platforms, they run a program called “bug bounty” that offers rewards to ethical hackers who can show some evidence of a security flaw in a company’s software and help to fix it. With Bugcrowd, they host and organize a bug bounty behalf of us and if the hackers find out some vulnerability that is meaningful, only then we need to pay some amount. They require participants to conduct all testing through a centralized system that includes activity monitoring. It will also check all incoming submissions to make sure they are in scope of our testing and are not duplicates, and will alert us when an identified bug needs our attention. Most importantly it checks the participant’s capabilities by evaluating proven successes and authenticated evidence and how relevant the participant is to our application.
Rather than doing the traditional way of penetration tests for the sake of getting some money, business or compliance needs, here we are going to find out our bugs or vulnerabilities proactively. Crowdsourcing providers treat it like a contest, so that, researchers will take this as a challenge to find out something so they can be rewarded. Here we are getting more benefited, because rather than a hacker comes and compromise our application, we are getting help from industry best researchers to find out the vulnerabilities before it gets exploited. Also with this model, you are paying only for results, not for time or any reports.
I would love to call Crowdsourcing cyber security as a next gen Penetration testing. This might be a new concept for many of you, but for sure it is worth exploring in the circumstance of a growing shortage of skilled resources in the field of cyber security.