Why do we perform security testing? Lots of reasons- like ensuring we take steps to protect data, avoid downtime, promote transparency, and the list goes on. But why pen test, in particular? If we assume, for the purposes of this blog, that pen testing is a human-powered, methodology-driven attack simulation, often focused on delivering a statement of compliance, then the list becomes a little shorter, or at least skewed toward that final report.
The Business Case for Traditional Pen Testing
When compliance is the primary (not necessarily only) goal, the traditional model for resourcing and deploying a pen test has just made business sense. 1-2 people,1-2 weeks, and a set methodology. A simple model that’s universally understood makes it easier to communicate security posture to partners and customers, and easier to plan for and resource internally. You may use the same trusted firm, or have an internal team well-versed in what to do and where to start. This familiarity removes barriers to activation, eliminates swirl in new procurement cycles, and removes ambiguity around how to accept and process results. It’s a known quantity. And it’s just… easier.
But has ‘easier’ made us forget everything else pen tests were meant to deliver? Can we not have our compliance and eat it too? The world has changed, and products ship to market faster than ever. Regulatory initiatives persist, but there are a continually evolving set of new ways to meet compliance without sacrificing speed, coverage, cost, or ease of use. In this blog we’ll take a look at all the things pen testing was meant to deliver, why traditional models like those used by large consulting firms have come up short, and how a crowdsourced approach to pen testing can help.
Expected Points of Value
Compliance and Transparency
Let’s start with the reason many pen tests begin. Some organizations need to show a final report to auditors, customers, partners, and investors that shows they have taken reasonable measures, by standards like SOC 2 and PCI-DSS, to keep data and systems secure. While other types of testing can be performed in parallel, this final methodology-driven report is often non-negotiable. The explosive growth of technology and the difficulty of accessing security talent often meant lack of available skilled resources, scheduling delays, and manual vulnerability management.
There’s more than one way to skin a compliance report (that was the last one I swear). Crowdsourced pen testing providers draw from a large pool of vetted talent, and leverage baked-in testing workflows and SDLC integrations for faster resourcing and setup. In the case of Bugcrowd, results are streamed as they are received, and viewable in-platform for greater transparency. Retesting and remediation advice, are all also included, contributing to a lower cost-per-vulnerability over traditional pen test providers.
As noted above, “compliance” is often cited as a main driver for pen testing, but ensuring security of mission critical assets and the data they protect is why we have compliance initiatives to begin with. Despite this, 70% of organizations say they aren’t receiving valuable vulnerabilities from their traditional pen tests. With hundreds of vulnerability-detection solutions available and in-use alongside pen tests, it seems many organizations feel “compliance” and “security” are mutually exclusive, rather than joined at the hip as it they were intended.
This tradeoff doesn’t have to persist. Infusing pay-per-finding incentivization into testing engagements greatly multiplies the value and volume of findings per test. Bugcrowd’s Next Gen Pen Test programs surface more valid, valuable findings, versus scanners or traditional pen tests alone, while still delivering the compliance deliverables that triggered the activity in the first place.
Cost and Coverage
For organizations that pen test, 89% do so 1-3 times per quarter. When they do, it’s not just for compliance purposes – but to stay ahead of code and infrastructure changes that can introduce new vulnerabilities.
If this is the goal, why just 1-3 times? Why not continuously? While some organizations are constrained by scheduled testing windows, others are constrained purely by the cost of testing any more than they currently do. At an average of 84 internal hours or $32,000 per 2-week engagement, traditional pay-for-time pen testing adds up. Volume discounting helps, but truly continuous coverage still isn’t really economical in this model.
So let’s try a different one. By leveraging an elastic pool of talent incentivized to find and submit vulnerabilities before their peers, Bugcrowd’s pay-for-results pen tests drastically reduce cost and management hours for continuous coverage. In fact, customers find that their cost-per-vulnerability is significantly lower with Bugcrowd, making crowdsourced pen testing much easier to define and defend in terms of true return on investment.
Speed to Value
Rapid development cycles are shipping new products and services at unprecedented rates. For organizations looking for a quick assessment at a predictable price, traditional pen tests seem like a good option. But time to launch is heavily dependent on access to qualified pentesters when needed. As pen testing firms “lose” money paying salaried employees between projects, overstaffing to allow quicker turnaround times just doesn’t make business sense. This leads to months of backlog and scheduling delays that don’t support agile development timelines.
Bugcrowd’s platform automation and CrowdMatchTM technology helps match and manage the right resource for the right engagement, reducing pen test setup time to just under 72 hours on average. And with workflow automation and SDLC integrations, Bugcrowd can stream validated findings directly to Dev as they’re discovered, rather than at the end of the engagement. As a bonus: The shorter the time between the code commit and vulnerability discovery, the cheaper that vulnerability will be to fix.
While in-house testing teams have deep experience with how their products are built and configured, this can be just as problematic as it is useful. Third-party pen tests offer a way to inject a bit of external expertise, to catch issues otherwise missed, but traditional firms are constrained to their own resource availability, and the available hours of the engagement. This makes it tough for traditional pen test firms to deliver the skills that make sense for every engagement, across every customer, every time, and to compete effectively with the diversity of the crowd of bad actors trying to find those very same vulnerabilities.
Crowdsourced security platforms provide both a diverse pool of talent, as well as the means and technology to quickly match the right resource for every engagement. Since pen testers are paid per project rather than permanently retained, Bugcrowd’s “bench” of vetted experts is virtually limitless– growing by thousands every year to promote even greater availability of skills. For organizations looking for even more value, our Next Gen Pen Test programs offer an additional incentivization layer proven to increase both volume and criticality of surfaced vulnerabilities.
A Better Way Forward
Pen testing still makes sense for a lot of businesses. But retaining high volumes of highly skilled pentesters available on-demand doesn’t make sense for traditional pen testing firms. The model doesn’t fit the moment, and the end (if it is compliance), no longer justifies the means. For more information on how Bugcrowd’s pen testing solutions can help meet compliance initiatives, without compromising on coverage, cost, or results, visit our website, or contact us today!