Is my stuff secure?
At their core, penetration tests answer two critical questions:
- Is my stuff secure?
- How do you know?
Q1 is pretty straightforward. If the answer is ‘no,’ then Q2 consists of a list of vulnerabilities discovered. But if the answer is ‘yes,’ then what do we get? A pat on the back? Of course not. We receive a ‘clean’ pen test report that describes the measures taken to assess the environment. The value of negative testing realized. But why do I care?
They need to know!
Let’s say I’ve developed a handy content management application. A potential customer wants to procure this app, but has asked how seriously I take security. I respond with an emphatic, “VERY SERIOUSLY,” but that appears to not be enough. So I supply them with an objective assessment that used a standardized evaluation method- a pen test report. The same method applies whether my use case is an investment firm evaluating my risk profile, a partner curious about the viability of the integration, or an auditor evaluating my compliance with PCI.
The value of pen testing is timeless. While the methodology, the resource, the content etc. has and will continue to flux as technology and customer needs evolve, the value of an objective, standardized assessment isn’t going anywhere.
Which brings us back to Q2— How do you know whether I’m secure or not? We established why others might care, and why I’m apt to care about their opinions in turn, but we didn’t yet address why I care, and what it means for my business. When I want to find bad stuff more than I care about proving to others that I care enough to look, the answer to Q2 has to change.
I need to know
When organizations want to find more high priority vulnerabilities, faster, they often turn to the power of managed crowdsourced security programs. When they need the objective compliance artifacts required by stakeholders, but don’t want to sacrifice the results from a crowdsourced model, they turn to Next Gen Pen Tests. These programs provide better depth and breadth of coverage by leveraging a wider pool of resource to find the right skills, right now. In Bugcrowd’s Next Gen Pen Test, additional researchers actually work in parallel with those following a standardized methodology, to further expand total coverage. This provides organizations serious about solving their security challenges with the results they need to stay one step ahead.
For organizations that don’t just want to know ‘what,’ but ‘how,’ Bugcrowd offers Coverage Analysis. This feature of Next Gen Pen Test Pro and Enterprise solutions provides a much richer picture of not only the vulnerabilities that were uncovered, but the method used to surface each. While traditional pen test reports offer a self-attested and often generalized view of the process performed, Coverage Analysis uses traffic log parsing and activity analysis to provide a higher fidelity accounting of the methodology actually performed by every pen tester and researcher on the program. This has helped many organizations more quickly resolve, as well as avoid similar issues in future.
By using these assessments as a tool to both measure and inform internal proceedings, organizations are re-defining the value of pen tests for everyone.