HEAD TO HEAD. Bug Bounties vs. Penetration Testing. How the crowdsourced model is disrupting traditional penetration testing.

Similar documents
Crowdsourced Security at the Government Level: It Takes a Nation (of Hackers)

THE STATE OF BUG BOUNTY

Running a Bug Bounty Program

2016 Bug Bounty Hacker Report

Recruiting Game- Changing Talent

Joint Information Environment. White Paper. 22 January 2013

Success through Offshore Outsourcing. Kartik Jayaraman Director Enterprise Relationships (Strategic Accounts)

Follow the Money: Security Researchers, Disclosure, Confidence and Profit

How to Succeed with Your Bug Bounty Program

Penetration Testing Is Dead! (Long Live Penetration Testing!)

GATEWAY TO SILICON VALLEY SAMPLE SCHEDULE *

CWE TM COMPATIBILITY ENFORCEMENT

Bug Bounty programs in Switzerland? Florian Badertscher, C1 - public

Youth Career Initiative

BUG BOUNTY BUZZWORD BINGO DEEP DIVE UNDER A JUMPED SHARK

ABOUT MONSTER GOVERNMENT SOLUTIONS. FIND the people you need today and. HIRE the right people with speed, DEVELOP your workforce with diversity,

UNLEASHING INNOVATION: LEARN FROM THE LEADERS

Leaders Sport Tech Startup Competition. Stamford Bridge, London 6 October 2016

Talent Crowdsourcing: The Quick Guide

WHITE PAPER. The four big waves of contact center technology: From Insourcing Technology to Transformational Customer Experience.

Guide to the SEI Partner Network

Streamlining care processes with a data-driven approach

OVERVIEW. Helping people live healthier lives and helping make the health system work better for everyone

Small business Big ambitions

Prepared Remarks for the Honorable Richard V. Spencer Secretary of the Navy Defense Science Board Arlington, VA 01 November 2017

CROWDFUNDING UNIVERSITY RESEARCH

1.5. Indo-German-Swiss Bootcamp Calling Entrepreneurs for

know? Did you Empowering and Accelerating the Modern Business

Canadian Accelerators

What you need to know about Crowdfunding

Investing in Opportunity Act

Hacking Bootcamp: Learning The Basics Of Hacking By C.J. McAllister, David Maxwell

Service Year Recruitment Best Practices

Global Recruitment Solutions Helping healthcare recruiters to reach further than ever before, all from one, easy-to-use professional career portal.

From Technology Transfer To Open IPR

CYBER SECURITY PROTECTION. Section III of the DOD Cyber Strategy

Freelancer launches API

Atos Global FinTech program: A catalyst for innovation in Financial Services

AVIONICS CYBER TEST AND EVALUATION

Integrated Offshore Outsourcing Solution

CHAPTER 2 TECHNOLOGY BUSINESS INCUBATORS GLOBAL SCENARIO

The Guide to Smart Outsourcing (Nov 06)

Courtesy of Mark F. Weiss

THE HIGH PRICE OF HEALTHCARE THREE MISTAKES IN US HEALTHCARE THAT EMERGING ECONOMIES CAN T AFFORD TO REPEAT

Employer Branding at GoDaddy

Connecting Startups to VC Funding in Canada

CHIEF OF AIR FORCE COMMANDER S INTENT. Our Air Force Potent, Competent, Effective and Essential

Bersin LTI Research Study Bersin & Associates August, 2003

Global Business Services Better together

SCAMPI B&C Tutorial. Software Engineering Process Group Conference SEPG Will Hayes Gene Miluk Jack Ferguson

Engaging, empowering technology

FY2025 Master Plan/ FY Strategic Plan Summary

Jobvite and GroupM Team Up to Create Recruiting Success

IBM in China A Short Overview

A RECRUITER S SOCIAL RECRUITING SURVIVAL GUIDE MASTER THE SOCIAL ARENA icims Inc. All Rights Reserved.

HORIZON The Structure and Goals of the Horizon 2020 Programme. Horizont 2020 Auftaktveranstaltung München, 04. Dezember 2013

LOE 1 - Unified Network

Ohio Third Frontier Program

MC Network Modernization Implementation Plan

OUTSOURCING IN THE AGE OF INTELLIGENT AUTOMATION

A total 52,886 donations were given during the 24-hour, online giving day raising more than $7.8 million from 18,767 donors.

RECRUITMENT AND EXECUTIVE SEARCH FOR THE MEDIA AND ENTERTAINMENT SECTORS

Mobil.ity PR EVALUATION REPORT. January 1 June 30, 2010 POWERED BY

USING JOBVITE TO OVERCOME THE STEM SKILLS SHORTAGE

Digital Access to Collections

National Grid Ventures. Lisa Lambert, SVP, CTIO June 2018

NEW VENTURES FUND REPORT FISCAL YEAR INNOVATION TO IMPACT. Celebrating Five Years of Success

To be prepared for war is one of the most effectual means of preserving peace.

IT JOBS MARKET DUBLIN Salary Survey April 17

The Fintech Revolution: Innovate at the Speed of Technology

HEALTHCARE STAFFING EDUCATION & TRAINING SEARCH

Augusta Innovation District DR. ED EGAN, DIRECTOR MCNAIR CENTER FOR ENTREPRENEURSHIP AND INNOVATION

Internal Audit Co-sourcing

US Startup Outlook 2018

LAGOS STATE GOVERNMENT SENSITIZATION ON CREATIVITY AND INNOVATION FOR PUBLIC SERVANTS.

Cyber Operations in the Canadian Armed Forces. Master Warrant Officer Alex Arndt. Canadian Forces Network Operations Centre

STEMchain Solution Overview

40,000 Covered Lives: Improving Performance on ACO MSSP Metrics

Africa is a land of tremendous wealth and enormous

What is WaterCredit? Why is WaterCredit Needed?

Helmholtz-Inkubator INFORMATION & DATA SCIENCE

Improving Outcomes in a Value-Based World Through Stratified Data and Patient Nurturing. Tuesday November 3, :15 AM - 10:30 AM

Better health. Better bottom line.

Go-to-Market Strategy Update

A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities

Performance Insight. Vol. 01 PATIENT ENGAGEMENT athenahealth, Inc. All rights reserved.

RAS. Providing innovative solutions to challenging EW/ELINT problems for the DoD and all the US Services. 111 Dart Circle Rome, NY

The State of US Voting System Security DEFCON Voting Machine Hacking Village July 2017

Improving competitiveness through discovery research

Reuters Insources Software Development Offshore

Business Incubation FAQ

Nurse Call Communication System

bd.com Pyxis Enterprise Server

The Best Approach to Healthcare Analytics

The best days in this job are when I have the privilege of visiting our Soldiers, Sailors, Airmen,

Delivering ROI. The Case for an Output Management Solution for Hospitals

U.S. Air Force. AF Cyber Resiliency Office for Weapon Systems (CROWS) I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Office of Technology Transfer Overview

Affordable quality software development outsourcing and nearshoring opportunities in 2017

British Columbia Innovation Council 2016/ /19 SERVICE PLAN

Transcription:

HEAD TO HEAD Bug Bounties vs. Penetration Testing How the crowdsourced model is disrupting traditional penetration testing. 1

What is the current state of penetration testing? Penetration testing has become the de facto best practice for vulnerability assessment over the past decade, but in recent years has come into question, as data breaches continue to hit corporations with extensive penetration testing programs. The newest addition to the vulnerability assessment toolkit, bug bounty programs, are disrupting this traditional market and calling the effectiveness of the penetration test model into question. In this resource, you will learn... 1. The fundamental differences between penetration testing and bug bounty models 2. How the bug bounty model improves vulnerability assessment ROI 3. Why the bug bounty model is gaining traction among enterprise organizations 2

How does the Organizations connect with independent security researchers with diverse expertise and skills. bug bounty model work? Bug bounties harness the power and diversity of the crowd to find more critical security vulnerabilities missed by penetration tests and automated scanners, providing continuous and scalable coverage. The crowd reports security vulnerabilities in all types of products, from web and mobile to hardware. Valid findings are rewarded; the more severe the bug, the higher the reward. 3

The bug bounty model improves upon penetration testing in 3 fundamental ways: 1 2 3 Testers The volume and diversity of the testers in bug bounties outperform the penetration test model. Coverage Unlike a point-in-time assessment, bug bounties provide continuous and scalable security coverage. Model The bug bounty pay-for-results model incentivizes greater depth and breadth of findings. 4

1 Uncover more high-quality vulnerabilities with a large and trusted crowd of testers. Standard penetration tests are performed by a small number of testers, fundamentally limiting the perspectives and expertise brought to a project. AVERAGE NUMBER OF TESTERS IN A BOUNTY PROGRAM VS. A PENETRATION TEST Bug bounties exponentially increase the testing talent available and are just as safe as standard penetration tests. 5

KEY BUGCROWD COMMUNITY STATS 60% 60% of our active crowd have full time security jobs including penetration testers and security engineers. 120 In the crowd, over 120 countries are represented; the leading nations are India, United States, United Kingdom, Australia and Pakistan. 18 We ve identified 18 distinct areas of hacking expertise within the crowd including web, Android, ios, hardware, firmware, Linux, network, and more. 81% 81% have completed some level of higher-education, many of whom studied Engineering or Computer Science. Creativity, skill, and diversity Not only is the testing pool much larger, but it is also more diverse, providing organizations with a broad set of skills and expertise. Get an inside peek at the crowd > 6

2 Ensure constant security coverage with continuous and scalable security assessment. The penetration testing model is limited in flexibility and only offers point-in-time assessment of code. VULNERABILITY ASSESSMENT COVERAGE OVER TIME BUG BOUNTY Security assessment should be continuous, especially as development processes become more agile. Penetration testing can t offer that coverage. Bug bounties can. SECURITY COVERAGE PENETRATION TEST CODE RELEASE PENETRATION TEST CODE RELEASE TIME 7

BUGCROWD S BOUNTY SOLUTIONS Continuous, flexible, and scalable Private or Public Public programs are open to the entire crowd and receive high visibility and activity over time. With private programs, organizations can test within invitation-only environments and attract testers with skill sets based on their application needs. Learn about Public and Private Programs > Continuous or On-Demand While continuous programs provide 24/7 activity and coverage, on-demand programs can be used to test new products and features, or to fulfill pen testing needs. They allow organizations to utilize the crowdsourced model with a fixed investment. Learn about Bugcrowd On-Demand > Bugcrowd s bug bounty model allows organizations to leverage the power of the crowd in more ways than one. 8

3 Pay-for-results, not man-hours for improved quality and volume of vulnerabilities. The penetration testing model incentivizes effort only and does nothing to incentivize high-quality results or volume. Bug bounties utilize a pay-for-results model that encourages deeper and more focused testing. Higher severity bugs carry a bigger incentive. PENETRATION TEST RESULTS BUG BOUNTY RESULTS BUG BOUNTY FINDINGS VS. FINDINGS These results represent actual results of a Fortune 500 company s first 30 days of bug bounty findings compared to their penetration test results on the same scope. Read the full program details on the next page. Critical High Medium Low 9

How One Fortune 500 Company Replaced their Penetration Tests BUGCROWD CUSTOMER CASE STUDY and Achieved 6x ROI Program type: Initially launched as a private program limited to 50 vetted researchers, this Fortune 500 company launched its public program after three months. Applications in scope: multiple web applications spanning multiple databases and technologies Reward range: $100 to $3000 After years of running quarterly penetration tests across hundreds of domains and technologies, this financial services company recognized the need for a more scalable and innovative solution. With highly-sensitive data and complex and vast technologies, they knew they weren t receiving the continuous coverage they needed. They implemented a bug bounty program to Expand the breadth and diversity of their testing pool Scale their testing efforts across a more broad attack surface Incentivize researchers to find and submit high-criticality vulnerabilities Through the improved model and breadth and depth of testers, a bug bounty program vastly improved their vulnerability assessment results and ROI. 90 vulnerabilities were reported to this Fortune 500 company s program within 30 days compared to just 15 discovered by their previous penetration test. They also received 7 times as many critical and high severity vulnerabilities. 10

Powerful Technology How do Bugcrowd programs deliver success? Our powerful management platform, Crowdcontrol, efficiently and simply connects our crowd of researchers to your team, saving you time and money. Through Bugcrowd s automated triage and expert validation, you only receive actionable vulnerabilities. Learn more about Crowdcontrol > Expert Management Our security experts deliver in-depth program strategy and management expertise for every customer. Reduce the time and cost of communicating with researchers and managing submissions with dedicated support for every program running on our platform. Learn more about our team > Trusted Crowd Our crowd brings together tens of thousands of researchers that think like adversaries but act as allies to find vulnerabilities before they can be exploited. Bugcrowd s private programs offer crowd curation through a unique blend of behavioral data science and expert selection. Learn more about the crowd > 11

Getting Started As the leading bug bounty provider, Bugcrowd is mastering the science of bug bounties. We ve taught the market that they aren t one-size-fits-all, but in fact, come in many different shapes and sizes. We know what it takes to launch and run a successful bug bounty program, tailored specifically to your organization. Visit bugcrowd.com/introduction to learn more. The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd s proprietary vulnerability disclosure platform is deployed by Drupal, Pinterest, Western Union and many others. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Venture Capital, Industry Ventures, Paladin Capital Group, Rally Ventures and Salesforce Ventures. Bugcrowd is a trademark of Bugcrowd, Inc. 12

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback