National Australia Bank Strengthens Security with Bugcrowd

About National Australia Bank (NAB)

National Australia Bank (NAB) is a financial services institution. We’re here to serve customers well and help our communities prosper. Today, we have more than 32,000 colleagues at NAB, serving over eight million customers at more than 900 locations. As Australia’s largest business bank, our business experts work with small, medium and large businesses to help them grow.

NAB’s Standpoint on Security

The partnership with Bugcrowd marked NAB’s first venture into crowdsourced security testing. It provided a complementary layer of assurance alongside a suite of existing assurance and testing controls. In addition, NAB has since expanded its penetration testing services with Bugcrowd, having previously worked with several other service providers.

Other Important Policies in Action

After seeing success with the Vulnerability Disclosure Program (VDP), NAB implemented a bug bounty program to solicit potential vulnerabilities from the security community. As the attack surface expanded, NAB needed more eyes on its assets to help keep them safe for customers, colleagues, and shareholders. While NAB saw value in the VDP, it is by nature a passive program. So, in order to seek active testing and increase the coverage of assurance across all services, NAB created a bounty program and engaged an army of broadly skilled researchers on an ongoing basis. Going forward, NAB plans to expand its bounty programs to cover the software development lifecycle as well.

A New Policy

• Using the crowd with a wider range of skills to find gaps that may have been missed by traditional security assessments.
• Gaining access to a large, global crowd of security researchers with broadly diverse skills , resulting in shorter lead times to add targets to scope.
• Having access to a controlled risk environment through Bugcrowd’s Crowdcontrol platform, with Bugcrowd acting as the intermediary.
• In addition, having an independent party to triage submissions helped NAB to save on internal resources and staff efforts.
• Potential vulnerabilities were reported as and when found, helping reinforce the fact that speed is an advantage.
• Testing was not time bound, which allowed security researchers flexibility to test whenever, and for however long, they chose.
• NAB was able to demonstrate the maturity of its security practice through the VDP and Bug Bounty program, reinforcing its commitment to robust security practices to customers, partners, and the security community.
• The VDP platform strengthened a positive relationship between NAB and the Whitehat security community, encouraging greater transparency and responsibility.
• The program also created a new talent pipeline, as the VDP provided a good platform to recruit standout researchers for its bounty program.
• The effort returned a relatively low false positive rate, with no additional cost to retest.
• Overall, the program has enabled NAB to discover numerous critical findings.

So, Why Bugcrowd?

NAB found that Bugcrowd offered a comprehensive service which allowed room for growth and complemented its existing security controls. The option to start with a VDP helped NAB understand the workflow and develop its internal processes. The management overlay that Bugcrowd provided across the VDP and bug bounty program, with a team of engineers to triage submissions, helped alleviate potential pressure on internal processes. In addition, Bugcrowd was commercially competitive and NAB was encouraged by the company’s responsiveness to suggestions for ideas and enhancements to drive product development.

Bugcrowd Security Knowledge Platform

Organizations of all kinds need to do everything proactively possible to protect themselves, their reputation, and their customers from being blindsided by cyber attacks. The Bugcrowd Security Knowledge Platform finds hidden vulnerabilities before attackers do by uniquely orchestrating data, technology, and human intelligence including tapping into the global security researcher community (“the Crowd”) for solutions that span Pen Testing as a Service, Vulnerability Disclosure, Bug Bounty, and Attack Surface Management.