This post was originally authored by Joel Witts for Experts Insights.
Expert Insights speaks to David Baker, Chief Security Officer and VP of Operations at Bugcrowd, about their crowdsourcing approach to application security, and his tips for security success.
Penetration testing and bug hunting is a crucial stage in the application development process. Before an app is released it must be rigorously tested to ensure that it’s safe and will not give attackers any backdoors to compromise data. However, for even the largest development teams, searching for bugs and checking for security vulnerabilities can be a tough and time-consuming task for developers.
It’s often difficult for developers to hunt for bugs and vulnerabilities with the same ingenuity as a group of white hat hackers. It also takes developers a long time to ensure they have found all the bugs within an application, and even then, they cannot be sure all have been found before wider release.
To help deal with these issues, Bugcrowd developed a crowdsourced cybersecurity platform. They offer developers the ability to publish their applications to a global community of researchers, or whitehat hackers, who help to identify bugs and vulnerabilities. At Info-Sec 2019, Expert Insights met with Bugcrowd’s Chief Security Officer (CSO) and VP of Operations David Baker, whose responsibilities include managing their Next Gen Pen Test and bug bounty programs, to talk about the Bugcrowd service.
Bugcrowd – Innovative Cyber Security
In February 2019, Bugcrowd was named as one of the most innovative vendors in the cybersecurity space by Fast Company. Baker explains that this innovation is driven by the crowdsourcing element of their security solution.
“Our innovation starts with the fact that we are a crowdsourced solution,” he tells me. “Our customers are enterprises, with IoT devices, web applications, and web platforms. We connect those customers with our researchers, the Crowd. These whitehat hackers are located all over the world.”
“They are engaged in identifying vulnerabilities for our customers. What we offer is a marketplace, which allows these groups to interact. One the one side, researchers are able to take their time to find vulnerabilities and get paid for doing that — the first to find is the one to get paid. On the other side, customers can also easily interact with researchers to better understand the impact of the found vulnerabilities. This marketplace, and our platform’s ability to connect these two groups, is the most innovative aspect of what we do.”
The Power of the Crowd
Bugcrowd’s innovative platform has made it easy for organizations to connect with researchers to identify vulnerabilities and patch them before there are found by malicious attackers. Baker makes it clear that this is hugely beneficial to enterprise customers.
“There are absolutely a lot of benefits to this approach,” he tells me. “It saves organizations a lot of time. But, more importantly, crowdsourcing always identifies a far richer set of vulnerabilities, and often at higher severity, than companies would normally find internally.”
“This is because the Crowd is all over the world. We’ve got people who have grown up in different cultures, and so the creativity of the Crowd is far more diverse than the typical set of people in an office that have been hired from the same city. I feel that creativity is really what drives how we identify more vulnerabilities. That creativity is the power of the Crowd.”
The clear challenge to developers once a vulnerability has been found is the remediation process. Fixing vulnerabilities can be as difficult as identifying them, and companies considering a crowdsourced solution may wonder what the process is once a vulnerability is found. Is that something that is up to the companies to fix, or can the Crowd be leveraged to help organizations resolve issues?
“We actually have a couple of options for the scenario,” Baker tells me. “We have a means by which we recommend the best practices for dealing with the issues that have been reported through our remediation advice. We also have means where you can integrate our reporting into your GitHub or wherever, so that once the vulnerability is validated it can go right back to the developer for testing.”
“But more importantly, we find that our researchers are identifying somewhat systemic issues in certain areas. In working with them, they can help educate our customers on better and safer development practices — addressing more of the SDLC.”
“So, we have a lot of different options their developers can take advantage of.”
Measuring Security Effectiveness
Measuring the effectiveness of your approach to cyber security is difficult for organizations and security teams of all sizes.
As the CSO of a security vendor, we asked Baker how he measures his own security team’s effectiveness?
“There’s a lot of things you want to do, particularly within a security company. First of all, you want to know what you don’t know.”
“At a very beginning, tactical level, you want to know what your vulnerabilities are. We measure our vulnerabilities using our own platform. What’s most important is that not only do I know what these vulnerabilities are and track them, but I know how fast they’re being fixed. The most important thing is not how many vulnerabilities we can find, but how quickly we can respond and deal with them.”
“I also want to be able to measure myself against other security companies in the industry. That means asking questions like ‘what are other security companies doing that we’re not?’ And having this bug bounty program with on-demand reporting in place is a really great way of comparing ourselves with other companies and measure effectiveness.”
The Ever-Changing Security Landscape
In addition to measuring security effectiveness, one of the major challenges for all organizations and security professionals, is adapting to the ever-changing security landscape.
Baker explains that Bugcrowd adapts to changes in the security landscape with the help of the Crowd. “The Crowd,” he says, “is naturally made up of individuals who are interested in this technology and interested in security trends. So, the Crowd naturally sets, and is part of creating, these emerging trends.”
We also asked Baker what he feels are the biggest trends in the cyber security landscape at the moment.
“Personally, one of the things I see as a trend right now is DevSecOps. So, DevOps is typically your team creating software to actively create your infrastructure. And a big part of that now is needing to build security around that, and one of the major trends is companies needing to automate that process. But what we’re seeing is a lot of companies trying to automate the human element or the crowd element of DevSecOps, and that’s a big challenge. They’re creating a lot of vulnerabilities as a result.”
“So, we’re seeing the Crowd respond to that, and finding more vulnerabilities that have resulted from automation.”
To find out more about Bugcrowd visit: https://www.bugcrowd.com/
To get more cybersecurity news and insights, as well as verified user reviews of the top security solutions, visit: https://www.expertinsights.com/