Find out how Kenna Security garners more value from Bugcrowd than with other firms and tools.

Security at Kenna Security

Kenna Security is a leader in vulnerability management. Kenna’s platform pulls in vulnerabilities from network and host scanners, dynamic application scanners, static analysis tools, as well as bug bounty programs such as Bugcrowd and combines that data with exploit and threat intelligence to prioritize the risks that matter the most and manage the remediation workflow. Kenna counts among its customers many Fortune 100 companies and serves nearly every major vertical.

Being a top vulnerability management platform, the security of its own platform is top of mind to protect threat intelligence and customer’s data. Kenna Security employs a slew of cybersecurity tools and services to ensure protection, including a bug bounty program. For a number of years, Kenna ran its own bug bounty program. While very successful, their security team was finding it difficult to manage the sheer number and varying quality of incoming reports. Kenna Security turned to Bugcrowd to manage the bug bounty program all the way through remediation.

Kenna Security Relies on Bugcrowd for Program Management

Kenna Security was an early adopter in the crowdsourced security model, starting with a self-managed bug bounty program. As findings ramped up however, it became apparent that the internal security team alone could not handle the volume of vulnerability submissions — a lot of which were invalid or “noise”. At the same time, Kenna did not have the breadth, nor the reach needed to get the number or quality of testers they needed for a successful program. The company had hired a handful of less experienced testers who would fill their queues with false positives, leaving the team spending most of its time triaging. They turned to Bugcrowd.

When Kenna moved its bug bounty program over to Bugcrowd, they saw an immediate improvement in submission “noise,” which ultimately optimized internal team resources and security spend. The company launched its first managed bug bounty program with Bugcrowd in early 2014. Since then, Bugcrowd has worked with the Kenna team to evolve the program to include all of Kenna Security’s web domains and subdomains. Kenna Security integrates Bugcrowd into its overall software development lifecycle, from beginning to end. Over the years, Kenna has seen massive value from having Bugcrowd manage their program, including saving a large amount of time and effort on vulnerability triage and validation.

Bug Bounty Program Results

Kenna Security hired a number of different security vendors, ranging from pen testing and consulting companies, to companies running dynamic analysis scans against our web applications and more. When Kenna started to see more quality findings come in through Bugcrowd versus the other firms and tools, it became clear the value of having a bug bounty program was well worth the effort.y Fortune 100 companies and serves nearly every major vertical.

Kenna Uses VRT to Align Expectations

Bugcrowd’s VRT (Vulnerability Rating Taxonomy) is a taxonomy of vulnerabilities relevant to application security, providing a baseline risk-rating at a granular level. The VRT offers vulnerability context in a more effective, simplified way than CVSS, helping facilitate mutual understanding between the organization and
researcher. Ultimately it helps remove subjectivity and directs the focus on actual risk so that there is less room for misalignment – paramount for crowdsourced security.

Kenna Security’s bug bounty program adheres to the VRT. Measured on a scale ranging from P1 (most critical) to P5 (least critical), the VRT offers a baseline technical severity for similar vulnerabilities seen in the market. Based on a Kenna Security’s security maturity and business priorities, Bugcrowd has helped Kenna’s security team map out a bounty reward range best aligned to the business needs. Standardizing this process helps creates consistency and alignment between the Crowd and Kenna Security.

Integrating Kenna Security & Bugcrowd

The Kenna connector for Bugcrowd extends Kenna’s vulnerability management capabilities to include crowdsourced security. Vulnerabilities submitted by researchers and ethical hackers via responsible disclosure or bug bounty programs can be ingested into the Kenna Security Platform like any other source. The connector supports key parameters such as risk priority and Bugcrowd VRT. By integrating with Bugcrowd, Kenna users can better identify, prioritize, and remediate the high- risk vulnerabilities that are most likely to be exploited by attackers.