Penetration testing and bug hunting is a
crucial stage in the application development process. Before an app is released
it must be rigorously tested to ensure that it’s safe and will not give
attackers any backdoors to compromise data. However, for even the largest
development teams, searching for bugs and checking for security vulnerabilities
can be a tough and time-consuming task for developers.
It’s often difficult for developers to hunt
for bugs and vulnerabilities with the same ingenuity as a group of white hat hackers.
It also takes developers a long time to ensure they have found all the bugs
within an application, and even then, they cannot be sure all have been found
before wider release.
To help deal with these issues, Bugcrowd developed a crowdsourced cybersecurity platform. They offer developers the ability to publish their applications to a global community of researchers, or whitehat hackers, who help to identify bugs and vulnerabilities. At Info-Sec 2019, Expert Insights met with Bugcrowd’s Chief Security Officer (CSO) and VP of Operations David Baker, whose responsibilities include managing their Next Gen Pen Test and bug bounty programs, to talk about the Bugcrowd service.
Bugcrowd – Innovative Cyber Security
In February 2019, Bugcrowd was named as one of
the most innovative vendors in the cybersecurity space by Fast Company. Baker
explains that this innovation is driven by the crowdsourcing element of their
“Our innovation starts with the fact that we
are a crowdsourced solution,” he tells me. “Our customers are enterprises, with
IoT devices, web applications, and web platforms. We connect those customers
with our researchers, the Crowd. These whitehat hackers are located all over
“They are engaged in identifying vulnerabilities for our customers. What we offer is a marketplace, which allows these groups to interact. One the one side, researchers are able to take their time to find vulnerabilities and get paid for doing that — the first to find is the one to get paid. On the other side, customers can also easily interact with researchers to better understand the impact of the found vulnerabilities. This marketplace, and our platform’s ability to connect these two groups, is the most innovative aspect of what we do.”
The Power of the Crowd
Bugcrowd’s innovative platform has made it
easy for organizations to connect with researchers to identify vulnerabilities and
patch them before there are found by malicious attackers. Baker makes it clear
that this is hugely beneficial to enterprise customers.
“There are absolutely a lot of benefits to
this approach,” he tells me. “It saves organizations a lot of time. But, more
importantly, crowdsourcing always identifies a far richer set of
vulnerabilities, and often at higher severity, than companies would normally
“This is because the Crowd is all over the world. We’ve got people who have grown up in different cultures, and so the creativity of the Crowd is far more diverse than the typical set of people in an office that have been hired from the same city. I feel that creativity is really what drives how we identify more vulnerabilities. That creativity is the power of the Crowd.”
The clear challenge to developers once a
vulnerability has been found is the remediation process. Fixing vulnerabilities
can be as difficult as identifying them, and companies considering a
crowdsourced solution may wonder what the process is once a vulnerability is
found. Is that something that is up to the companies to fix, or can the Crowd
be leveraged to help organizations resolve issues?
“We actually have a couple of options for the
scenario,” Baker tells me. “We have a means by which we recommend the best
practices for dealing with the issues that have been reported through our
remediation advice. We also have means where you can integrate our reporting
into your GitHub or wherever, so that once the vulnerability is validated it
can go right back to the developer for testing.”
“But more importantly, we find that our researchers are identifying somewhat systemic issues in certain areas. In working with them, they can help educate our customers on better and safer development practices — addressing more of the SDLC.”
“So, we have a lot of different options their developers can take advantage of.”
Measuring Security Effectiveness
Measuring the effectiveness of your approach
to cyber security is difficult for organizations and security teams of all
As the CSO of a security vendor, we asked
Baker how he measures his own security team’s effectiveness?
“There’s a lot of things you want to do,
particularly within a security company. First of all, you want to know what you
“At a very beginning, tactical level, you want
to know what your vulnerabilities are. We measure our vulnerabilities using our
own platform. What’s most important is that not only do I know what these
vulnerabilities are and track them, but I know how fast they’re being fixed.
The most important thing is not how many vulnerabilities we can find, but how
quickly we can respond and deal with them.”
“I also want to be able to measure myself against other security companies in the industry. That means asking questions like ‘what are other security companies doing that we’re not?’ And having this bug bounty program with on-demand reporting in place is a really great way of comparing ourselves with other companies and measure effectiveness.”
The Ever-Changing Security Landscape
In addition to measuring security
effectiveness, one of the major challenges for all organizations and security
professionals, is adapting to the ever-changing security landscape.
Baker explains that Bugcrowd adapts to changes
in the security landscape with the help of the Crowd. “The Crowd,” he says, “is
naturally made up of individuals who are interested in this technology and interested
in security trends. So, the Crowd naturally sets, and is part of creating,
these emerging trends.”
We also asked Baker what he feels are the
biggest trends in the cyber security landscape at the moment.
“Personally, one of the things I see as a
trend right now is DevSecOps. So, DevOps is typically your team creating
software to actively create your infrastructure. And a big part of that now is
needing to build security around that, and one of the major trends is companies
needing to automate that process. But what we’re seeing is a lot of companies
trying to automate the human element or the crowd element of DevSecOps, and
that’s a big challenge. They’re creating a lot of vulnerabilities as a result.”
“So, we’re seeing the Crowd respond to that, and finding more vulnerabilities that have resulted from automation.”
To find out more about Bugcrowd visit: https://www.bugcrowd.com/
To get more cybersecurity news and insights, as well as verified user reviews of the top security solutions, visit: https://www.expertinsights.com/