Advances in firewalls and cloud security providers have greatly reduced risk to network infrastructure. But these advances have only served to deter low-level threats, while failing to combat complex risk from highly skilled malicious attackers. Modern penetration testing can help, using a combination of automation and human intuition to out-hack attackers. But is crowdsourced security a viable option for anything other than web app testing? How do you know you can trust “the Crowd?” Will your auditor even accept the final report? In this blog I’ll answer these three important questions in an attempt to illustrate why Bugcrowd believes crowdsourcing your next infrastructure pen test is the only way to go.
“I love the crowdsourced model, but I need an actual pen test.”
Yep, we’ve heard it before. And honestly– we get it. The term “bug bounty” has been used interchangeably with the term “crowdsourced security” for years, leading many to believe that competitive, pay-for-results engagements were the only way to leverage the Crowd. With the latest Bugcrowd platform advances, this is no longer true. Bugcrowd now offers crowdsourced pen testing, to provide dedicated, skills-matched resources for structured, methodology-driven testing. So before we begin, we should ensure everyone’s on the same page when it comes to bug bug bounties, pen tests, and the difference between the two:
In other words, if you’re looking for an “actual pen test,” crowdsourcing it is still a very viable option (even for auditors, which I’ll cover in more detail below).
Misconception #1: “I can’t trust a fully remote team”
Remember when we were all in offices? Years ago– back in February of 2020. Prior to this forced shift to remote work a lot of organizations believed the model wasn’t sustainable. Not just because of perceived collaboration challenges– but because of lack of trust. “How do I know Dave is working if I can’t see him?” Organizations braced for a massive decline in productivity… that never really occurred. It turns out the fleet of digital tools we use to connect and sync on a daily basis work just fine without physical white boards and shared kitchenettes. So it’s not surprising that many tech companies led the charge in announcing plans to remain remote, indefinitely.
While many organizations are forced to back into a remote-first reality, Bugcrowd was built this way. Not because we could have predicted a calamitous global pandemic, but purely because the value of a global network of security testing talent is inextricable from the fact that these individuals are in fact, located all around the globe. As such, we’ve invested heavily in technology designed to “close the gap” in usability, communication, and most importantly, trust. How do we do it? This blog shares a more detailed account of our vetting process, but in short:
- Every researcher signs our Terms of Engagement before participating in any program on our platform
- We monitor researcher activities on and off-platform to better understand how they engage with customers, and each other.
- We review all submissions to ensure they are in-scope, complete, valid, and non-duplicate
- Our payment model is structured in such a way as to encourage behavior that aligns with program goals and expectations, and deters things like out-of-scope testing, or withholding information
- We have the capacity to ban uncooperative researchers from individual programs, or from the platform itself
- We’re constantly growing our pool of researchers that carry active background checks and will submit to ID verification. We can also apply geo-restrictions if required.
- We don’t allow participation from any countries on the OFAC global banned list
- We have an entire team dedicated to Researcher Success, that works tirelessly to engage, encourage, and support researchers in the community, as well as diffuse any potential conflicts or misunderstandings
Misconception #2: “The Crowd will only find things like cross-site scripting”
Some of the more well-known Bug Bounty programs grew out of a focus on web applications, which were easily accessible by anyone with an internet connection. While web apps remain one of the most popular testing targets for ‘public” bug bounties and VDPs, network pen tests occupy a large proportion of our “private” programs, spanning a variety of industries including retail, technology, automotive, and even government. A significant portion of the Crowd prefer to hack on these types of programs, and are deeply skilled in the unique testing methodology required for network assets. This includes but is not limited to:
- Leveraging open source and contextual data sources to perform initial attack analysis including acquisition tracking, and asset discovery
- Enumerating company acquisitions, or other major business transformation
- Scanning in-scope targets on all TCP and UDP ports and checking for unencrypted services of misconfigurations
- Checking for weak or unencrypted services, software misconfigurations, or exposed sensitive information
- Testing for authorization bypasses, or unnecessary privilege
- Testing for server-side vulnerabilities like SQL injections, RCEs, XxEs, SSRF, LFI, and more
Misconception #3: “My auditor won’t accept a crowdsourced pen test report”
Many crowdsourced security programs lack the rigor needed to assure auditors, partners, and customers that the assessment was truly comprehensive, and provided thorough coverage of the entire asset or environment. That’s why Bugcrowd launched Classic and Next Gen Pen Test, to provide dedicated resource responsible for a thorough, methodology-driven assessment.
But we understand that still might not be enough for stakeholders deeply entrenched in the standards of traditional pen test firms. That’s why we partnered with Schellman and Company, a certified QSCA, to perform a full review of our Pen Test methodology (from tester selection, engagement, and management through discovery, validation, and integration of results), as well as the final pen test report, to ensure alignment with compliance standards like PCI-DSS, SOC2, NIST, and ISO27001.
Bugcrowd Network Pen Test
Bugcrowd Network Pen Test provides dedicated, skills-matched pen testers for advanced network security testing. Our unique crowdsourced model enables us to choose from thousands of immediately available, thoroughly vetted, and deeply experienced network pen testers. CrowdMatchTM technology continually assesses the performance of these individuals to curate the optimal testing team for every engagement. To ensure success from the start, every program is assigned a team of Account and Researcher Managers as well as in-house Security Engineers for seamless program execution, vulnerability validation, and high-impact, actionable results. Learn more about our Network Pen Tests on our website, or get a custom quote today!