Misconception: With a bug bounty, you cannot receive the coverage or same caliber of testing methodologies as penetration tests.
Earlier this month we discussed a common misconception around bug bounties as they relate to penetration testing: talent and trust. Today we’re tackling yet another misconception–that bug bounties can’t provide adequate coverage.
Bug bounty critics often cite methodology as a key differentiator for penetration tests, noting that the reason penetration tests are successful is because pen testers are trained to follow a methodology and tick every box on that methodology. However, a successful penetration test should go further than methodology alone. It’s important to consider the benefits brought by the depth and breadth of the crowd.
Depth & Breadth
The fact that penetration testers are trained to look for specific vulnerabilities is not necessarily a benefit. In fact, it can be a disadvantage.
There’s no arguing that opening your testing up to the crowd brings the benefit of more breath, but it also brings the benefit of more depth. Yes, the testers participating in bug bounty programs greatly outnumber those of a traditioal penetration tests, but we’re not simply talking about a numbers game.
Penetration testing firms charge by the hour, incentivizing effort, not results or volume. Bug bounties utilize a pay-for-results model that encourages deeper and more focused testing. Higher severity bugs carry a bigger incentive. For this reason, and as many of our customers have reported, a bug bounty program often yields results that penetration tests missed. This leads to the next point: the importance of continuous testing.
A penetration test only offers a point-in-time assessment of code. To be effective security assessment should be continuous. This is especially important as development processes become more agile.
In our last post we mentioned how much of the Bugcrowd community is made up of penetration testers, in additional to a wealth of other security professionals. Engaging the crowd through a bug bounty program does not limit access to the skills of penetration testers — it expands it, exposing your code to the skills of penetration testers at scale.
Over the next several weeks we’ll be addressing many of those nuances. Stay tuned and subscribe to our blog for updates.