“First priority vulnerability in under 24 hours.”
“10x more high priority vulnerabilities than traditional testing.”
“Annual impact of two full time resources in under a week.”
The benefits of crowdsourced vulnerability discovery programs are compelling. But I’m sure if you’re reading this blog, you already knew that. Instead, you’re here because you’re wondering what it takes to get there. You’re skeptical that you’ll see success. In short, you don’t want to know what can go right, you’re wondering how it might go wrong.
For this six-part series, we’ve taken learnings from over seven years and more than 1,200 fully-managed programs to share the things that can slow, stall, or otherwise subvert crowdsourced security success. To help any crowdsourced champion (that’s you), clear those hurdles, we’ve included some handy materials to help develop a plan of action, achieve organizational alignment, and launch your best security investment yet.
Hurdle #1: Ready for takeoff, but the rest of the organization isn’t on board
The good news — you understand the benefits of crowdsourced security and you’re ready to dive in. The bad news — no security team is an island. Security impacts every part of the business. And while you may not need sign-off from every function, save legal and finance, if the solution relies on other groups to fully recognize success, you’ll need to have a few conversations.
“Where’s the crowdsourced security budget?” — Finance Considerations
Let’s talk numbers first. Many organizations have dedicated budget for security testing of applications and assets, to include staff, services, software, and maybe even pen testing specifically. But crowdsourced security is a bit unique. Bugcrowd, for example, is a SaaS platform that utilizes a pool of security researchers to help organizations uncover and rapidly process high priority vulnerabilities. It provides the results of near-limitless headcount with the workflow efficiencies of automated tooling, yet doesn’t fit neatly into either bucket. This might raise some questions from finance, the Board, and the rest of the executive team:
“How often do we need testing?”
While there are many benefits to continual testing engagements, including less time for set up and take down, continuity of researcher engagement, and more accurate program growth and health analytics, Bugcrowd recognizes that security budgets and staffing bandwidth are are structured differently for every organization. Whether you’re looking for an on-demand, continuous, or methodology-driven assessment, we’ve got you covered.
“What’s the ROI?”
To justify budget early on, consider both inputs and outputs, and anchor to something that’s well understood by your organization. If you do have pen testing budget, were you happy with the results of your latest assessment? Or for something less subjective… what was the cost per vulnerability discovered? Our pen test value calculator is a great tool for this comparative analysis, and even comes with an exec-ready printout on your potential savings!
“We don’t have crowdsourced security or pen testing budget.”
No pen testing budget? No problem — let’s instead focus on inputs for the testing you are doing. When you hire new employees, is there a significant learning curve before product or process mastery? How much time does your team spend on rudimentary testing activities, or the interface with development to get things fixed? Could they be freed up for more complex (and fulfilling!) tasks? Experts at the ready, full managed programs, and robust SDLC integrations could be the answer you (and finance) are looking for. Check out our Next Gen Pen Test and Bug Bounty Program pages for more detail on each.
“Have we examined competitive offerings?”
Every security organization has unique requirements today, as well as aspirations for growth in future. Bugcrowd is the only crowdsourced security platform that helps organizations find and fix their highest priority vulnerabilities, faster. More than 80% of customers who’ve switched from other solutions tell us that our end-to-end managed services are far superior. For more detail on our unique process and results, check out the Bugcrowd Difference page on our website.
“Can we trust the Crowd?” — Legal Considerations
Look, we get it. The concept of ethical hackers is a tough pill to swallow if you’re not familiar with the community. Why would I invite someone to poke and prod my most valuable assets? But countless Fortune 500 organizations, financial entities, government agencies, and even security companies have cleared this hurdle and so can you! If this Bugcrowd Legal Walkthrough doc isn’t enough to knock your socks off, then let’s dive right into some hard truths.
People are doing it anyways
You may not want to invite strangers to test your defenses, but the truth is, the bad ones aren’t waiting for an invitation. Fortunately for you, hacking isn’t inherently good or bad, and the necessary skills can be acquired through legitimate, routine exploration. According to our annual security researcher community report, Inside the Mind of a Hacker 2019, more than 80% of our Crowd say their skills helped them lock down a 9-5 security job, and more than half still test on the side for fun. If your best defense is a good offense, who do you want on your team?
You may not know them yet, but we do
Bugcrowd vets every researcher on private programs for skill and trust, and our CrowdMatch technology enables us to connect the right individuals to your program based on your organizational and target requirements. With hundreds of thousands of skilled researchers in our Crowd, this is no small feat. Our How we Vet the Crowd brief goes into extensive detail on our vetting process as well as the provisions put in place to ensure secure programs. In short, we believe in the “right skill, right program, right incentive” model. Following this, our customers typically see results 1.5x faster than on other crowdsourced security platforms, with some of the highest criticality vulnerabilities submitted in the first 24 hours.
Combining vulnerability and people management is the key
True crowdsourced security solutions aren’t just a means of accessing the crowd, they are a means of working with the crowd. Bugcrowd is the only crowdsourced security platform to offer a fully dedicated Researcher Success team alongside both an operations and triage team. This ensures regular, fluid communications with both engaged and available researchers. We also helped spearhead the Disclose.io initiative, which encourages open communications around disclosure policies to protect and educate both researchers and companies. Customers are welcome to select whichever disclosure policies suit their business — either complete non-disclosure or controlled coordinated disclosure under mutual terms. We also encourage customers to select partial or full observance of safe harbor best practices, and display their status here (for public programs).
“We’ve got enough stuff to fix already” — Development & Engineering Considerations
Crowdsourced security testing will probably produce more vulnerabilities, of higher severity, than other testing mechanisms employed by your organization today. This might be a highlight for you, and a red flag for dev and engineering. There are only so many hours in a day after all. Connecting with the side of the organization that manages targeted assets is imperative for ensuring fast fixes.
What’s in it for dev?
If you’re committed to reducing risk, choosing a vendor that can ease the burden of both teams is paramount. 82% of customers who switched from other crowdsourced security solutions said Bugcrowd’s triage and vulnerability management was superior. Another 70% feel the substantial improvements to internal operations was a major motivator.
What’s the most secure way to resolve this vulnerability?
Bugcrowd’s dedicated Application Security Engineer (ASE) team triages all submissions before passing to security for final acceptance. Our numerate SDLC integrations and unique remediation advice then ensure every valid vulnerability gets to dev for fast fix. Our SDLC integration page and ever-evolving Vulnerability Rating Taxonomy share more details on each of these points of value.
How do we know it won’t happen again?
Fixing security vulnerabilities is tough, and can be time-consuming. But it’s even harder to catch systemic problems that might result in further issues down the line. For today’s vulnerabilities, Bugcrowd provides retesting services to ensure what’s found is truly fixed. To prevent tomorrow’s issues, we also partner with Secure Code Warrior, which provides gamified training for secure coding across a multitude of programming languages.
Achieving organizational alignment is never easy, but always worth the extra time and attention to ensure long-term success. However, what happens when your organization changes? When ecosystems evolve and teams shift, the way you manage your security solutions may flex as well.
In the next blog we’ll talk about how to manage internal shifts to ensure seamless program management, stay tuned.