Bug Bounty and Penetration Testing – Gigaom

Analysis

Bug bounties and penetration testing (pen-testing) are powerful techniques that uncover flaws in controls, applications, and hardware defects. They enable enterprises to secure code prior to application launch – meeting compliance requirements. At face value, hiring an ethical hacker and bypassing an application’s security in order to find and fix any weaknesses prior to release sounds straightforward; however, enterprises often encounter complexities, nuances, and certain unintended consequences.

Bug bounties and penetration tests reveal serious vulnerabilities before they are exploited – minimizing the potential for embarrassment, loss of trust, and the associated costs. The failure to identify and disclose data breaches to customers places organizations in legal jeopardy. The reality is that, whether known or unknown, it is only a matter of time until a vulnerability is discovered and seized upon. The question to ask then becomes, “Do you want to know about vulnerabilities before or after your customers find out?”

All companies today must build internal muscle memory to be able to cope with security flaws and become more secure. This does not simply apply to engineers. A company must be able to fund resources that include legal, communications, executive steering, customer service, and development. They must all be in lockstep if they are to develop the internal skills to become a more secure company.

Fortunately, guided by experienced hackers and hard-fought lessons learned, these disciplines have evolved. This is partly due in response to the underground bug market which revolves around hackers who find and sell exploits; at times for hundreds of thousands of dollars, depending on the severity of the bugs, reliability with which they trigger, and the platforms they can affect. Some vendors understood early on that basing payment on the quality of vulnerabilities encouraged hackers to work harder to find them.

It cannot be understated that enterprises wishing to buy these services need to have a solid foundational understanding of the market and the subtle, but critical, differences between bug bounties and pen-testing, as well as the different tools and platforms available. Launching bug bounties and penetration testing means opening your system and networks up to “hackers,” albeit ethical ones; you are trusting engineers to break controls to get to the crown jewels and then trust that they stop when they get there. To quote the Rolling Stones, “Just as every cop is a criminal and all the sinners saints.”

Key Findings:

• The space for bounties and penetration tests is quite mature and most of the top vendors offer platforms to assist with making the complicated workflow easier.
• Executive support for these programs is critical to success.
• Responsible disclosure and bounty programs are key to addressing vulnerabilities before they become an internal emergency which could cause brand damage, loss of trust, and/or regulatory fines and negligence charges.
• Regardless of whether or not you choose to launch a bounty program, vulnerabilities in your software or services may be discovered and announced, despite your organization’s intentions.
• The security of all of your software and services will vary; however, nothing is ever 100% secure. By implementing a bounty program or conducting regular penetration tests, your organization will build internal muscle memory focused on improving security. Over time this will pay big security dividends.

Comments are closed.