Software is becoming more complex every year. We see new tools for development, increased automation through AI, and an ever-growing list of environments for building and devices for usage of the software that we interact with on a daily basis. This is driven by technological trends that we can expect to continue and accelerate, from sophisticated AI, to the blurring of the boundary between corporate and personal networks in a remote-first working world. On top of this, we see widespread pressure to release software more quickly and automate more processes, all of which is creating new security concerns.
As software development gets faster and more opaque, security has become more important and more difficult, which has revealed the shortcomings of traditional security testing. This market need comes alongside technical developments that have led to innovation in cybersecurity, and in particular, the growth of the now-mature category of crowdsourced security.
What is crowdsourced security?
Crowdsourced security is an approach to securing digital assets that leverages the collective skill and experience of ethical hackers to tap into the wisdom of the crowd, where large and diverse groups can make discoveries more effectively than individuals.
These hackers are given direction, scope, and sometimes financial incentives to identify and report vulnerabilities, or bugs, simulating techniques used by threat actors. Owners of these digital assets will then remediate the issue and offer public recognition for the hacker’s work (in the case of a vulnerability disclosure program) or financial rewards corresponding to the criticality of the bug (in the case of a bug bounty program).
Investing in crowdsourced security testing means tapping into the breadth of the world’s talent and all of the talent, experience, and cognitive diversity that comes with it. Here are just some of the benefits that it provides.
What are the types of crowdsourced security solutions?
- VDPs—VDPs are a framework put in place by organizations to encourage hackers to share any vulnerabilities they discover with the asset’s owner. They offer safe harbor clauses that provide legal protection to good faith hackers, and should also offer public disclosure of valid submissions to acknowledge the help provided by hackers who take the time to help with security.
- Bug Bounty Programs—Bug Bounty Programs are security initiatives that incentivize hackers to find and report vulnerabilities in an organization’s products and digital infrastructure. These programs lay out the scope of the asset that is open to testing, and offer financial rewards based on the criticality of bugs that are discovered and shared. Managed bounty programs have been around in this form since Casey Ellis founded Bugcrowd in 2012, and they are the crowdsourced security that hackers engage with the most.
- Penetration Testing—Pen testing is a simulated cyberattack carried out by an authorized third party (known as pen testers) who tests and evaluates the security vulnerabilities of a target organization’s computer systems, networks, and application infrastructure.
There are also technical forms of crowdsourced testing such as attack surface management, where specialist hackers are tasked with defining a company’s network, finding shadow and legacy IT in the process. Hackers deploy automated tools and human ingenuity prioritize an organization’s assets in terms of risk, whether it is AWS buckets holding vital data, a poorly configured IoT toaster that came with an acquisition, or the CEO’s laptop. The skillset required for high-quality attack surface management is rarely found in generalist security professionals, so crowdsourced solutions often make the most sense economically.
Who performs crowdsourced security testing?
Crowdsourced security testing draws from hackers from around the world. For Bugcrowd, this means “The Crowd”; a community of security experts who dedicate themselves to finding and fixing security vulnerabilities.
The range of hackers involved in crowdsourced testing can vary based on the nature of the client and what they are testing. With VDPs, hackers self-select by finding and submitting bugs informally. In contrast, selection for Bug Bounty Programs can range from public programs open to every member of The Crowd, to private programs limited to experts with the highest form of security clearance. Attack surface management tends to be performed by specialists who bring expertise in scanning technologies to the table, alongside deep knowledge of network risks.
How much access is given to crowdsourced hackers?
In theory all assets can be improved by crowdsourced security testing, but in practice scope of access varies between assignments and types of testing. For VDPs an organization’s entire assets are considered in scope unless otherwise stated, whereas bug bounties tend to focus more on specific products or infrastructure. Access tends to be based on budget and capacity – buyers will prioritize assets based on budget for incentives and internal capacity to remediate bugs.
The limitations of traditional security testing
Traditional security testing methods, such as in-house penetration testing (pen testing) or automated vulnerability scanning, have limitations. Some of the issues of traditional security testing include:
- Cumbersome delivery
- Poor security ROI
- Difficult to scale
- Delayed results
- Questionable skill fit
- Lack of ingenuity
- No progress visibility
- Siloed and inactionable
- Low impact
Traditional security measures remain crucial and are not going anywhere. Best practice in patching, access controls, firewalls, and other elements of security hygiene remain a core necessity to keeping data safe. But when it comes to identifying and tackling sophisticated threats, traditional security testing has its limits.
While some security testing should always remain in-house, you should not be limited to this approach to securing data. We live in a digital age of abundance, and this should be seen as an asset to your security rather than just a source of threats.
What are the benefits of crowdsourced security testing?
Larger testing pool
Crowdsourced testing brings more brainpower to the task of securing your assets. Back in the late nineties, Eric S Raymond suggested that “with enough eyes, all bugs are shallow.” Since then, the amount of eyeballs that can be turned to finding bugs has increased dramatically, and this increase in supply provides a better quality of security testing.
As well as the weight of numbers, “The Crowd” brings diversity of outlook, approach, and experience. Internal testers will be limited to their own expertise when assessing vulnerabilities and threats, but crowdsourced security draws from hackers of different ages and backgrounds living all over the world. Bringing this formidable group together provides far more creativity and more comprehensive testing to your security needs.
Over a hundred years ago, US retail magnate John Wanamaker complained that half the money he spent on advertising was wasted, but he didn’t know which half. Until recently, something similar could be said of security investment, with money spent by Chief Information Security Officers (CISOs) often lacking a clear read-through to a company’s bottom line.
Crowdsourced security is part of the solution to this, by offering financial incentives to hackers based on the criticality of the bugs that they uncover. In the past, you had to pay for testing and hope for results. Now, the testing takes place in the background so your in-house security team can focus on strategic initiatives.
Reduced risk of bias
In traditional security testing, internal and even external testers may have a bias for the technology, tactics, techniques, and procedures with which they are most familiar. When picking from a limited pool of talent, you are bound to have blindspots, even with the most brilliant individuals. This is especially true for new and emerging technology and techniques.
With crowdsourced testing, market conditions incentivize diverse approaches by rewarding the results they produce, and this eliminates any potential biases. Hackers from different jurisdictions will have more exposure to new technology, and will bring a mindset that challenges any status quo in security testing. No small team can cover the range of cognitive diversity and technical experience that The Crowd brings.
Coverage around the clock
Malicious actors are geographically distributed across time zones and don’t work conventional 9-5 hours. This has caused headaches for CISOs and executive teams facing breaches and urgent vulnerabilities overnight and at weekends, who often struggle to find the resources needed to deal with a threat.
Crowdsourced security taps into distributed security talent to turn this from a weakness to a strength. By investing in crowdsourced testing, you will have all of the capacity that you could need, when you need it. This allows you to access round-the-clock security testing from hackers. Organizations like Bugcrowd also include validation and triage services from a global team of experts, handling the most critical submissions within hours. This allows your team to quickly remediate and resolve vulnerabilities using critical context, helping you focus on what’s most important.
The ability to scale up testing capacity is not just useful out-of-hours. Sometimes vulnerabilities will emerge in software that is of critical importance to your business, and in these situations finding and fixing vulnerabilities becomes an urgent priority.
Investing in crowdsourced security lets you apply a lot of talent to this problem far more quickly than traditional security testing would allow. When the Log4J vulnerability emerged in December of 2021, Bugcrowd’s platform saw an enormous spike in activity, allowing buyers to remediate their most critical vulnerabilities in under three hours. This ability to scale capacity to meet emergent threats is an advantage of crowdsourced security over traditional testing.
Building relations with the hacking community
Crowdsourced testing is an effective approach to security, and this is known and respected by hackers and the wider security community. By investing in this approach to testing, you win respect within the industry that creates a virtuous cycle, making the best hackers more inclined to work with you.
This respect can extend to attracting talent, as it puts your company on the radar for security professionals eager to work in organizations that embrace best practice and work with the world’s best hackers. It can even extend to software developers and other technology professionals adjacent to security.
What are the pros and cons of crowdsourced security testing?
|Depth of expertise: Taps into The Crowd’s massive global expertise.
|New business case may be needed: For organizations who have never used crowdsourced security before, organizations might need to build a new business case.
|Return on investment: Paying for results offers a clear demonstration of value for security and finance teams.
|Community engagement: While it is a transaction in a market, buyers need to respect the hacker community and its norms.
|Flexible capacity: Allows you to get results around the clock and scale up testing in response to urgent needs.
Summary—The Benefits of Crowdsourced Security Testing
We live in a world of digital abundance, and securing data and infrastructure means making this work for you rather than against you. Crowdsourced security offers you access to The Crowd’s diverse skillset, with collective experience of solving more problems than any individuals can even comprehend.
By opting to pay for results instead of time, you can get the benefits of this hive mind while sticking to a reasonable budget. This is hard for those whose spending is restricted to traditional security services, or who struggle to unlock the potential for crowdsourced testing. Crowdsourced testing requires a new business case, but one that is necessary for today’s threats.
Crowdsourced Security and the Bugcrowd Platform
Bugcrowd has been a pioneer since it was founded as the first crowdsourced security testing platform back in 2012. We offer testing such as bug bounties, pen tests, vulnerability disclosure programs, and more at scale and in an integrated, coordinated way.
Our platform includes access to a team of global security engineers who work as an extension to the platform, triaging and validating submissions so that the most critical bugs can be resolved within hours.
To see what crowdsourced security testing looks like in practice, take a 5-minute tour. This overview shows how the Bugcrowd Platform connects you with trusted hackers to help you take back control and stay ahead of malicious actors.