Why more organizations are choosing crowdsourced security testing [Q&A]
During the pandemic, video conferencing app Zoom found itself at the center of several security and privacy issues. In response it has boosted its security program, including aggregating reports from Bugcrowd.
But what's driving organizations like Zoom choose crowdsourced security approaches? We spoke to Ashish Gupta, CEO of Bugcrowd to find out.
BN: What is crowdsourced cybersecurity? What offerings do crowdsourced cybersecurity platforms provide and how are researchers that operate on crowdsourced cybersecurity platforms successful?
AG: Crowdsourced cybersecurity is a security approach that uses ethical hackers -- or simply, researchers -- to uncover vulnerabilities in business applications, devices, and networks. Crowdsourced cybersecurity can also help fill cybersecurity talent gaps, which many companies still struggle with due to the lack of available security talent. This approach eliminates the imbalance between the creativity and motivations of attackers with those of enterprise security teams. For example, Bugcrowd matches customers with a deep roster of experienced and fully vetted researchers from around the globe that specialize in all industries, technology stacks, and targets. These researchers may probe targets including mobile applications, internet-connected cars, corporate networks, and more. By enlisting a crowd of ethical hackers, organizations can augment their existing team and security tools and uncover unknown vulnerabilities or blindspots. This approach offers customers measurable confidence that choosing to invest in a vulnerability disclosure program (VDP), bug bounty or pen testing program will yield a positive return on investment and be successful.
Researchers on crowdsourced cybersecurity platforms are successful in proactively identifying vulnerabilities since they will think and operate like an attacker when looking at digital applications (websites, IoT devices, mobile apps, etc.), before and after they are brought to market. Aside from being assured that their target is being proactively secured by outside researchers, companies will also be enabled to improve their workflow by learning from their mistakes (by reviewing and prioritizing the vulnerabilities that are reported). Crowdsourced cybersecurity is a great way to bridge the gap between immediate needs for skilled resources and availability for an increasing number of use cases like bug bounties, pen tests, attack surface management and 'neighborhood watch' initiatives like responsible VDPs.
BN: How can organizations benefit from a crowdsourced approach to cybersecurity?
AG: Most developers and engineers are in a rush to get their products to market as quickly as possible in order to obtain a competitive advantage. Yet, most fail to realize that speed is the natural enemy of security. As such, engineers and developers must have a system of checks and balances to ensure that any vulnerabilities are proactively identified and secured before they can be exploited by attackers.
Companies want efficient, high quality security programs that do not reduce their ability to get products to market. Bringing insecure products to market can help a company achieve a greater market share in the short run, but it will only be a matter of time before a nefarious actor exploits a number of possible vulnerabilities to steal data or plant ransomware (as two examples).
The software development lifecycle (SDLC) needs to be merged together with the security lifecycle. This is where a crowdsourced approach to cybersecurity can help. Not only will it allow engineers and developers to continue to innovate at their own pace, but a crowdsourced approach will also allow outside researchers to seek out any flaws in a product's code. In fact, Bugcrowd's researchers prevented $8.9 billion worth of cybercrime over a 12 month span for organizations, further validating the benefits of a crowdsourced cybersecurity approach.
BN: Does a crowdsourced cybersecurity approach replace other security tools or in-house security teams?
AG: No, crowdsourced cybersecurity platforms complement both investments in security tools and in-house security teams. Organizations of all sizes, budgets, and phases of security program maturity can benefit from having outside researchers proactively identify vulnerabilities -- even companies with in-house security teams.
Visibility is critical to an enterprise security strategy. By sourcing additional expert eyes to identify vulnerabilities and flaws throughout their attack surface, organizations will naturally recognize more security as a result.
BN: What services do crowdsourced cybersecurity platforms offer? What are some examples of vulnerabilities a researcher might disclose to a customer organization?
AG: Crowdsourced cybersecurity platforms offer vulnerability disclosure programs, bug bounty programs, pen testing and attack surface management services to ensure visibility and security of customers' digital assets.
Some examples of vulnerabilities a researcher might disclose to an organization on a crowdsourced cybersecurity platform include broken access control, sensitive data exposure, server security misconfiguration, broken authentication and session management, or cross-site scripting. Each of these types of vulnerabilities consist of numerous sub-types which range in severity from benign to critical. These vulnerabilities and numerous others are found across a variety of digital and physical assets including APIs, internal and external networks, web apps, and more. Web targets alone accounted for 90 percent of submitted vulnerabilities in 2019, according to Bugcrowd's Priority One report, primarily due to the size and ever-changing nature of end-user facing assets. Bugcrowd has also observed an increase in disclosed IoT vulnerabilities, as these devices become more widely available to consumers and security researchers alike. In fact, Bugcrowd observed a 400 percent increase in submissions against IoT devices from 2018 to 2019 alone, with 61 percent of valid submissions in this category rated as critical or high severity.
BN: What are some of the factors that drive ethical hackers to do the work they do? How well do researchers on crowdsourced security platforms get paid?
AG: Some may believe that ethical hackers are only in the game for the money, but this is far from the truth. In fact, a deep sense of morality and desire to make the digitally connected world through collaboration and learning new techniques drive most researchers. Even when researchers are incentivized with greater payouts and recognition, 62 percent of researchers still say that personal development is their primary motivation for hacking (according to findings from Bugcrowd's 2020 Inside the Mind of a Hacker report).
This doesn't mean that hackers are against getting paid. Crowdsourced cybersecurity delivers true risk reduction to customers since rewards are tied to successful outcomes, such as being the first to find a vulnerability. More critical vulnerabilities will also deliver a greater reward to researchers, resulting in better value overall. This leads to 79 percent of hackers being compensated well or better than they expected. In fact, we paid out more than $500K in one week to our researchers.