Monday August 10, 2015
It is common for companies to launch bug bounties in order to improve upon existing security assessment tools and services. Researchers, who help with software testing, discover and resolve bugs for a reward which greatly improves the level of security. This process is referred to as crowd-sourcing.
Heroku, Twilio, Pinterest, and Dropcam are great examples of companies that utilize the process of crowd-sourcing in software testing. This helps in enhancing security in today’s world of increasing breaches.
Here are 5 reasons why crowdsourcing can be your trump card:
1. Better results
When more security researchers are involved in assessing an application, naturally the test coverage for an app increases. More researchers mean a more diversified software testing knowledge. A different skill set is brought to the table with the addition of a researcher through crowd-sourcing.
The results obtained are something that is unattainable using conventional testing methodologies. This method is even better than the structured patterns of automated testing or the use of a handful of penetration testing consultants.
2. Cost Effective
Regardless of the results, penetration testers and security researchers are paid for their time. This invokes a belief that tapping security resources can cost you a lot. This is where a crowd-sourced bug bounty program can help you be more cost efficient. Under this model, rewards are only needed to be given to researchers who first find a valid vulnerability. This means payment is done based on the vulnerabilities they find or the bugs they fix.
Submitting a duplicate isn’t rewarded which helps reduce the cost per vulnerability which is in turn a cost efficient and legitimate method to find and report bugs.
3. Safe method of Disclosing a Breach/Exploit
By having a bug bounty or responsible disclosure program, your company is protected from a hacker who may fully disclose an exploit to the public. Inadequate set of rules for report the vulnerability more often than not causes bug leak to the public. Oftentimes companies are caught off guard by this lack of proper communication. Companies can use the transparent rules together with an increase its security which they get by using a bug bounty program.
4. Benefit of a Continuous Security Testing
A system update or code push or even something as simple as being online may cause software to become vulnerable. Running pen tests or automated scanners can shed light on a few bugs, but they are incapable of providing the extra layer of protection which is given by bug bounty program. Researchers from different countries all across the globe can test an app at any time to alert your team through crowd-sourcing.
5. Free your team
Time consumption and inefficiency are some defects related to searching for vulnerabilities especially when done in small numbers. Crowd-sourced security testing can free up IT teams to validate and fix the discovered vulnerabilities which are their sole responsibilities. This helps to fix security issues even before they become a problem, which is far better than reacting to a production level bug that your team is unprepared for.
Incentivizing researchers through crowd-sourcing will help you protect your product in the world where security exploits have been increasing. This helps to level the playing field and proactively secure apps with the help of white-hat researchers.