Tesla upending more than a century of automotive tradition. Uber redefining the taxi market. Airbnb reinventing the way we book vacations. Each one disrupting the market it operates in – not in decades, but in years. The lesson to learn? For a business to survive, it needs to be infinitely agile and adapt at pace to market change.
However, there’s a balance to be struck between speed and security. To deliver those trusted applications more quickly, organisations need to bake robust application and infrastructure security at the start, closing the vulnerabilities criminal hackers will target across the expanding attack surface.
Until now, most organisations have relied on penetration testing or ‘pen-tests’, to search for vulnerabilities in applications. However, the approach is proving itself increasingly obsolete in today’s dynamic, digital world.
First, pen-tests are limited with regards to the skills mobilized. The consultants involved typically lack the relevant skills and struggle to master the technical environments associated with the tests and the potential attack techniques. Second, most pen-tests are invariably one-off, time-boxed processes, performed one or two weeks per year – not practical when serious or critical vulnerabilities often take several weeks to be discovered. Finally, annual (or even biannual) audits do not meet the growing need for speed and continuity that is typical of agile approaches.
A European financial institution, for example, recently reported, “We can’t be agile when we’re doing pen tests; it doesn’t work. There are too many projects to follow, and we can’t do one before each roll-out owing to the lack of time, responsiveness, and means. The deadlines are too tight and the tests have to be scheduled several times a year.”
How a heavily regulated financial institution implemented Bug Bounty.
Read the full interview.
It doesn’t have to be this way.
A transformative cybersecurity approach is disrupting pen-testing, just as Tesla, Uber, and others have disrupted their respective markets. It’s called Bug Bounty.
A Bug Bounty platform provides augmented crowdsourced pen testing as a service. It is an agreement whereby organisations reward ethical hackers – or ‘researchers’ – for reporting bugs, especially those pertaining to security exploits and vulnerabilities. The more severe the reported bug, the higher the reward.
The market is marching towards Bug Bounty platforms too: Gartner predicts that by 2022 -that’s next year-, 50% of organisations will be using this modern approach to cybersecurity.
So how does a Bug Bounty platform provide the operational agility to cope with today’s ultra-fast pace of change?
A Bug Bounty platform delivers flexibility, streamlining trusted cybersecurity processes, so organisations can release applications into production more quickly. Take the example of a company using DevOps. They need continuous testing alongside continuous integration/delivery since they’re delivering code every day. A Bug Bounty program provides that continuous testing: surfacing bugs at the same speed as they are inadvertently created by the development teams.
Likewise, organisations using the more traditional waterfall methodology are under pressure to release code in weeks not months as before. Scheduling old-school pen-tests so frequently is not an option. Now, they can use a Bug Bounty platform to mobilize a hand-picked team of ethical hackers to surface bugs during the pre-production acceptance or testing phase.
A Bug Bounty platform increases agility by empowering security and development collaboration. It’s a given that organisations are growing their development community to meet the demand for faster application delivery. In turn, developers are being given more autonomy and typically outnumber security professionals by a significant margin. Unless the security team can find a way to embed security early in that development process, they end up losing control of the security process, with all the inherent risk of vulnerabilities.
Here, a Bug Bounty platform embeds security processes directly into development, increasing collaboration. For example, developers can communicate directly with the researchers who find the bugs – increasing awareness of security and enabling skills transfer between the hunters and the developers. Organisations can ultimately create security champions among the development teams.
A Bug Bounty platform automates multiple vulnerability management processes, increasing speed and agility. With pen testing, for example, organisations only receive a static pdf report. With a Bug Bounty platform, security and development teams can easily integrate all the data into their chosen bug tracker to manage vulnerabilities at scale and speed. There’s no manual ‘copy and pasting’ of content – teams are connected to a single, complete view of the workflow and data.
A Global leading Bug Bounty Platform
YesWeHack is a leading global Bug Bounty & VDP Platform. More than 400 programs – private and public – are in operation, spanning 30+ countries. YesWeHack is also number one among the research community: tens of thousands ethical hackers rely on the platform, in more than 170 countries.
To learn how YesWeHack’s Bug Bounty Platform can help your organization deliver agile digital transformation and pivot to growth, book a free consultation with one of our experts.