As crowdsourced security programs gain momentum, education is lagging behind.
REDWOOD CITY, Calif. (PRWEB) May 31, 2018
“Crowdsourcing” is gaining momentum for CISOs who want to stay ahead of a security breach. The old way of doing security has failed, and more organizations are starting to trust crowdsourced ethical hackers to help with the growing demands of cybersecurity in a world that is technologically complex and increasingly threatened.
As crowdsourced security testing solutions (including bug bounty programs, vulnerability discovery and hacker-powered penetration testing solutions) have become viable options for a growing number of security leaders in recent years, the level of trust, control, management, and success is not universal across the industry. Synack released a new report for CISOs and security decision makers titled "The Complete Guide to the Crowdsourced Security Testing", which outlines the differences between crowdsourced programs.
“As crowdsourced security programs gain momentum, education is lagging behind. It’s critical for security team leads to know what they’re getting with an open bug bounty program compared to an invite-only program or a crowdsourced penetration test. Not all crowdsourced programs are created equal, and organizations should have the knowledge to choose programs that best fit their needs,” Jay Kaplan, Synack CEO and Co-Founder said.
The analysis in Synack's report is based on data gathered through thousands of customer tests over the last few years; including hacker demographics, hacker activity, vulnerabilities found, vulnerabilities not found (but searched for), customer demographics, customer asset data and security of assets over time. Also included is published data from other companies that offer crowdsourced security testing solutions.
Synack’s report covers why security teams are choosing to crowdsource, what offerings make up the crowdsourced testing landscape today, how crowdsourced security is evolving, and which metrics are best to measure a program’s success.
Why do security teams crowdsource?
-The Power of Scale - Hundreds of skilled and trusted hackers who log hundreds of hours on a target during a single test
-The Power of On-Demand Software - 24 hours to onboard, 24 hours to first vulnerability notification, and real-time analytics during an entire test
-The Power of Incentives - Over 155,000 valid vulnerabilities and counting across the largest crowdsourced programs
What offerings make up the landscape and how do they differ?
-Responsible Disclosure and Open Bug Bounty - Hacker-powered testing with basic coverage for unknown vulnerabilities
-Invite-Only Bug Bounty - Hacker-powered testing from a selected crowd
-Managed Crowdsourced Vulnerability Discovery - Hacker-powered testing from a highly vetted crowd with full program management, auditable testing traffic, and testing coverage analytics
-Managed Crowdsourced Penetration Testing - Hacker-powered testing combined with compliance testing from a highly vetted crowd with full program management, auditable testing traffic, testing coverage analytics, security scoring, and ongoing risk reduction
How do CISOs best measure the success of their crowdsourced programs?
-Processes and priorities that find and remediate critical vulnerabilities
-Having fewer vulnerabilities to find over time (not more)
-Increased Attacker Resistance of assets over time
The report can be downloaded for free at https://go.synack.com/crowdsourced-landscape.html.
Synack, the leader in crowdsourced security testing, provides real security to the modern enterprise. We leverage the world’s most trusted ethical hackers and an industry-leading platform to find critical security issues before criminals can exploit them. Companies no longer have to choose between working with the best security talent and a lack of time, resources, or trust. Headquartered in Silicon Valley with regional offices around the world, Synack has protected over 100 global organizations by reducing companies’ security risk and increasing their resistance to cyber attack.