The Department of Defense (DoD) and public sector at large confronts a cybersecurity landscape where asymmetric threats are the norm rather than the exception. Threat actors, wielding the element of surprise and the cloak of anonymity, often leave cyber defenders in a perpetual game of catch-up. 

The DoD and public sector can flip this dynamic with the integration of crowdsourcing as a pivotal component of their cybersecurity arsenal. 

Crowdsourcing as a ‘force multiplier’

There is an inherent power of crowdsourcing to level the battlefield against asymmetric cyber threats. The concept of the ‘force multiplier’ is well-understood within military strategy, denoting a factor that dramatically increases (multiplies) the effectiveness of an item or group. In the context of cyber defense, we propose the crowd—a global, diverse, and agile assembly of cybersecurity enthusiasts, professionals, and hackers—as this critical force multiplier. By harnessing the collective intelligence, creativity, and skills of the crowd, the public sector can enhance its defensive capabilities far beyond what could be achieved through traditional means alone.

Benefits of leveraging crowdsourced security in the public sector

There are several key areas where crowdsourcing offers tangible benefits to cyber defense strategies in the public sector and beyond. 

1. Accelerated vulnerability discovery–Crowdsourcing accelerates vulnerability discovery in systems out to the tactical edge. Crowdsourced security programs, such as bug bounties and vulnerability disclosure policies, have proven their worth in the commercial sector by identifying and mitigating risks at a pace unattainable by in-house security teams alone. Applying these models within the public sector can significantly shorten the window of exposure to new threats, thereby reducing the adversary’s advantage.
2. Enhances security of AI systems–The crowd enhances the security of AI systems, which are increasingly at the heart of public sector operations. As AI technologies evolve, so do the strategies of those who seek to exploit them. Crowdsourcing can facilitate a continuous, dynamic testing environment for AI systems, ensuring they are robust against both current and future threats.
3. Better skill and knowledge transfer–Crowdsourcing addresses the challenge of skill and knowledge transfer. Crowdsourcing initiatives not only serve as a mechanism for threat detection and mitigation, but also as platforms for learning and collaboration. By engaging with the crowd, the public sector can tap into a wellspring of knowledge, staying abreast of cutting-edge techniques and technologies in cybersecurity and AI.

Learning from CISA’s success

The Cybersecurity and Infrastructure Security Agency (CISA) is a great example of the success the public sector can achieve using crowdsourced security. CISA’s BOD (Binding Operational Directive) 20-01 requires all Federal Civilian Executive Branch (FCEB) agencies to develop and publish a vulnerability disclosure policy. CISA has partnered with industry to provide a platform enabling agencies to run Vulnerability Disclosure Programs (VDP) powered by Bugcrowd. Since launching in July of 2021, 40+ FCEB agencies have onboarded to the platform—including NASA, the National Labor Relations Board, the Department of Treasury, and Homeland Security. 

In 2022, 4,091 unique reports from hackers were submitted to FCEB agencies, with 1,330 unique validated vulnerabilities, 274 critical or severe vulnerabilities identified, and 1,119 vulnerabilities were remediated. The total number of vulnerabilities has already reached over 15,000 in less than 33 months. The best part of this is that the global crowd is doing a public service for these FCEB agencies through VDP programs.

“Our agency’s VDP hardly received any researcher attention prior to onboarding. We went from very little activity to a lot of activity, just by joining the VDP Platform,” the Department of Labor said. 

Getting started with crowdsourced security

As the public sector looks to implement crowdsourced security, they can lean on the expertise at Bugcrowd to provide a strategic framework, including guidelines for engaging with the cybersecurity community, ensuring ethical and secure collaboration, and advice for leveraging outcomes to foster a culture of innovation and resilience.

The public sector is standing on the precipice of a paradigm shift in how it approaches cybersecurity. Upgrade your cyber defense mechanisms from solitary reflexes to a coordinated immune system response, from isolated fortresses to a network of defenses, and from static defenses to adaptive resilience. Embrace the crowd as your most powerful ally in the fight against cyber threats.

The post Crowdsourced security as a ‘force multiplier’ in the public sector appeared first on Bugcrowd.

Hey My name is Rami (not Rami Malek). I was hired from the crowd and now work to improve the crowdsource security experience, often working behind the scenes. I’ve always had a laser focus on community and continuous improvement from my experience as a professional photographer, pentester, hacker success manager, and everything in between. My unique perspective and determination from my various career paths led me to understand various needs and communicate them to the right people in the right way. Now a part of the Customer Success team, I hope this blog post helps you find the highest value engagement(s) for your organization’s needs. 

Factors to consider before deciding on your engagement type

• Scope: First, you must determine the size and complexity of your digital assets and their potential vulnerabilities. This assessment will help you identify which engagement aligns best with your requirements.
• Budget: Different engagements come with varying costs. Consider your organization’s financial capabilities and evaluate the potential return on investment in terms of enhanced security.
• In-house vs. outsourced: Determine whether you have the internal expertise to handle the chosen engagement or if you need to collaborate with external cybersecurity experts.
• Regulatory compliance: Ensure that the chosen engagement complies with any industry-specific or legal requirements your organization must adhere to.
• Risk tolerance: Assess your organization’s risk tolerance and how much you are willing to invest in proactive cybersecurity measures.

1. Managed bug bounty engagements (MBB):

Managed Bug Bounty engagements incentivize independent hackers to discover and report security vulnerabilities in an organization’s digital assets. Customers then set a tiered reward structure based on the severity and impact of the vulnerability identified in accordance with the Bugcrowd Vulnerability Rating Taxonomy. Once a vulnerability has been submitted by a hacker the Bugcrowd Security Operations team will triage, reproduce and assess the vulnerability. This process eliminates the signal to noise ratio ensuring you’re notified of new and unique findings. Bugcrowd offers MBBs in multiple flavors to meet your specific needs: 

• Time-based:
  • Ongoing engagements
  • On-Demand engagements
• Visibility:
  • Public engagements
  • Private engagements

Ongoing vs on-demand bug bounty engagements

Ongoing MBBs allow hackers to engage with the customer environment over an extended period of time. Ongoing MBBs allow hackers to deliver high impact vulnerabilities over time, which may otherwise not be found through traditional testing methods such as penetration testing Ongoing MBBs provide time and space for hackers and customers to build rapport and establish a level of trust. It’s not uncommon for hackers with strong rapport to exclusively hack on a single engagement/customer as a result of this. I like to call them ‘anchor hackers.’ Some anchor hackers have even been offered full-time jobs!

The benefits of running an ongoing MBB include:

• Impactful and ongoing testing
• Integrates into your long-term security posture
• Provides an ongoing level of assurance external from your security team
• Introduces new hackers over time

On-demand engagements offer two primary differentiators from ongoing programs. Their timeboxed nature provides a highly competitive and rewarding environment for hackers. They may be used to compliment ongoing engagements or to differentiate from them.

The benefits of running an on-demand MBB include:

• Time bound approach: On-demand engagements offer 2 or 4 week timeboxes, providing hackers with a highly competitive environment with increased rewards and unique scope.
• Set reward pool: Using a fixed reward pool ensures customers don’t go over-budget while ensuring hackers are appropriately compensated for their expertise. Customers typically use on-demand engagements as a first step towards the crowdsourced security space, or where they may have flexible spending that may not allow for an ongoing engagement just yet.
• Targeted scope: The highly competitive nature of on-demand engagements allow smaller groups of hackers to target areas with great concern. Successful on-demand engagements are often used to test new features, business-critical systems, and used as a warm up prior to releasing the assets to an existing on-going program.
• Pen testing use cases: They are increasingly used in pen testing use cases as well; in fact, we have customers who have completely replaced traditional pen tests with them.

Public vs private bug bounty engagements

There are two visibility options for MBB engagements, public and private.

Public bug bounty engagements are open to everyone. They’re often a best fit for large organizations with a security team equipped or even dedicated to hosting a bug bounty engagement. Your organization is most likely already quite secure and braced for attacks.

Benefits of public engagements:

• Largest form of exposure 
• Largest talent pool available
• Community engagement
• Showcases strong security posture

Considerations before launching a public engagement:

• Requires skilled team to manage
• Significant exposure 
• Increased noise

Invite only (or private) engagements are highly sought after due to their scarce nature. Hackers often look for large scope, high rewards, and low competition in private invites. The scarce nature leads to highly motivated hackers with more potential opportunity to identify vulnerabilities and gain rewards. Participation requires an invitation by Bugcrowd or your organization. The scope, rules, and rewards are shared with the invited hackers, but not with the general public.

Benefits of private engagements:

• Controlled testing
• Increased confidentiality
• Competitive activity
• Tailored to your needs as an organization
• Segregates different stakeholders and entities
• Introduces crowdsource security in a safer manner in your organization.

Considerations before launching a private engagement:

• Increased crowd management 
• Additional effort to manage compared to public programs 

Overall, managed bug bounty engagements are a great fit for small and large organizations across the globe. If one of the following applies to your organization, managed bug bounty engagements may be right for you:

• You have a large-scale attack surface
• You want to tap into the collective power of a global security community to find diverse and hidden vulnerabilities
• Your organization is able to offer financial rewards to ethical hackers for their discoveries

2. Vulnerability Disclosure Program (VDP):

Vulnerability Disclosure Programs (VDPs) are a “see something, say something” model, offering a public space to safely submit and disclose vulnerabilities to an organization. 

Unlike MBBs, they focus on encouraging responsible individuals to disclose security vulnerabilities directly to the organization with Safe Harbor. While most organizations welcome this information and behavior, the lack of a defined channel or process can carry risk, often disincentivizing people to report vulnerabilities. VDPs offer a comprehensive range of submission channels, triage, integration, and reporting capabilities.

When to choose a VDP:

• Your organization is ready to take their first step towards crowdsourced security
• You value transparency and open communication with hackers
• Regulatory/government mandates may require you to have one
• You want to promote responsible disclosure within the security community
• Your organization is ready to acknowledge and address security issues promptly

3. Penetration testing:

Penetration testing is a controlled and simulated cyberattack on a system, network, or application to identify weaknesses that could be exploited by malicious actors. Unlike bug bounty engagements, our crowd powered Pen Testing as a Service (PTaaS) is carried out by a large vetted pool of skilled hackers from the crowd. They simulate real-world attacks to assess vulnerabilities and provide a detailed report of their findings offering expertise unmatched by traditional pentesting services. According to your testing requirements, our specialized team and our agile processing can yield results in a matter of days. Throughout the testing phase, you will use the Bugcrowd Platform to gain access to real-time, prioritized findings, facilitating prompt remediation actions.

It’s common to see organizations pair their pentests with a bug bounty engagement to maximize risk reduction. 

When to choose penetration testing:

• Pay-for-effort in a time bound approach
• Leverage hackers with specialist skillsets and experience.
• Governance risk and compliance requirements
• Risk posture requires testing to be performed in a specific manner

4. Attack surface management

Bugcrowd’s Attack Surface Management (ASM) goes beyond traditional vulnerability assessments. Most hackers will tell you reconnaissance (recon) is arguably the most important step in the hacking process. Sw33tlie emphasizes recon over time in this blog post. Levering the power of the crowd, ASM combines technology, data, and hacker ingenuity to discover all digital assets (even the hidden ones) within an organization’s ecosystem. By identifying rogue assets, it helps your organization evaluate risk, inventory known assets, and prioritize remediation efforts. It offers a comprehensive approach to managing an organization’s attack surface continuously.

When to choose attack surface management:

• You want a holistic view of your organization’s cybersecurity posture, including forgotten, rogue, or unknown assets.
• You want to discover assets, not exploit them.
• You have a rapidly evolving organization with a complex attack surface to manage.
• You need a solution to help you continuously discover, prioritize, and mitigate risks associated with your assets.

The world of crowdsourced security can be confusing, but by carefully evaluating the options and understanding your organization’s specific needs and priorities, you can make an informed decision that aligns perfectly with your cybersecurity goals.

Thanks for taking the time to read my blog post. If you’re still hungry for more, you can learn about the role of our TCSM team in continuing your success with crowdsourced security, written by my good friend Elle. 

You can find me on Twitter, and LinkedIn. I’d love to hear from you!

The post Demystifying crowdsourced security: How to choose the right engagement for your organization appeared first on Bugcrowd.

These sightings have me thinking about a phrase we’ve said here at Bugcrowd for almost a decade now—”the unlikely romance between hackers and security teams.” We’ve been talking about this surprising dynamic for years, and as the CISO at Bugcrowd, I’d like to share my thoughts specifically on the relationship between hackers and CISOs/security leaders. 

What exactly does an “unlikely romance” mean? 

To truly understand this “unlikely romance,” you first need to understand what I mean when I say “hacker.” Defining a hacker is harder than one might think. Most people probably consider a hacker and a cybercriminal to be one in the same. Merriam-Webster defines a hacker as “an expert at programming and solving problems with a computer.” That doesn’t sound like a cybercriminal, does it? 

“Hacker” is the dominant self-descriptor used by the cybersecurity community to refer to “the good guys.” Other terms you may have heard include ethical hackers, white hat hackers, and security researchers. The confusing part is threat actors, aka “the bad guys,” also call themselves hackers. For my purposes in this blog (and the rule of thumb at Bugcrowd), when I say “hackers,” I’m talking about the good guys. 

There is so much misinformation out there about the hacking community. Long-standing stereotypes of faceless criminals in hoodies come from pop-culture depictions. These stereotypes lead to assumptions that CISOs are actively fighting against hackers. This is where the concept of an “unlikely romance” really comes into play. People expect CISOs and hackers to be working against each other, not together for the greater good. 

Hackers + CISOs = ? 

Some of the challenges security leaders are facing may feel like old news, but that doesn’t make them any less relevant to our strategic initiatives. For example, the cybersecurity skills gap has been the subject of many articles, yet it is still a major struggle for security teams around the world. ISC2’s recent study found that the cybersecurity skills gap grew 12.6% last year, even though the cybersecurity workforce grew by 8.7%. 

Pair this with the fact that the attack surface is always evolving, it really creates a perfect storm. There is always the next “big threat” looming—for example, right now, it’s AI threats. CISOs simply don’t have the time or resources to constantly adapt to prepare for what’s next while still dealing with the pressure that comes from an under-staffed team. 

I’m speaking with a lot of fellow CISOs at the moment who are looking to counter this challenge and the cybersecurity skills gap and help their security teams scale by broadly adopting the crowdsourcing of human intelligence via the hacker community. Partnering with hackers helps continuously weed out unique or previously unidentified vulnerabilities that their internal offensive security teams cannot—not just from a technical point of view, but also from time to scale-up or go deep in “breaking” new technology perspectives. 

CISOs should be partnering with hackers to extend the reach of their security teams and proactively secure their attack surface or find that hidden “golden nugget” of a bug. This partnership can be achieved at scale through a trusted crowdsourced security vendor. 

One statistic from Inside the Mind of a Hacker that really shatters hacker stereotypes is the fact that 77% of hackers report working in IT or cybersecurity full time. That’s right—over three quarters of hackers work in traditional IT or cybersecurity roles. Chances are, you probably have someone on your security team right now who hacks on the side on the Bugcrowd Platform. 

In my personal view, partnering with hackers does not increase operational risk; instead, it only decreases risk, as it enables the earlier identification of vulnerabilities harvested by experts in the security community before attackers can discover and exploit them.

Building a relationship that can go the distance

We’ve established the need to work with hackers via crowdsourced security models, but how do CISOs:

1. Find the right hackers to work with
2. Develop long-lasting, mutually beneficial relationships with hackers

To extend the Valentine’s Day/unlikely romance theme, they say there are a lot of fish in the sea, but most people aren’t looking for all of the fish…they’re looking for the right fish. 

It’s the same with hackers. Some crowdsourced security companies throw bodies at the problem, thinking a higher quantity brings better results. That’s not exactly true. You want to look for quality in the hackers you partner with, not quantity. 

To do this, leverage a company like Bugcrowd that expertly pairs organizations with hackers based on skill sets, target types, and precisely the right experience. For example, Inside the Mind of a Hacker found that 70% of hackers identify web applications as their area of hacking specialization. By nature of that fact, three quarters of hackers other vendors pair your organization with would have that specialty…but what if you’re looking for network pen testing or recon/asset discovery? Blindly throwing bodies at a problem is just going to create noise and not give you the best solution. You need the right hackers with the right skill sets for your specific situation. 

By the way, if you’re still on the fence about working with hackers, you can always take a crawl, walk, run approach. By leveraging a select number of curated hackers with small-scope proof of value (POV), CISOs can safely and effectively mitigate the perceived risk of crowdsourced security. Running this POV gives a CISO’s team familiarity with the platform, triage services, and customer success capabilities. As CISOs become more accustomed to the crowdsourced model, they are likely to go wider and deeper— sometimes straight to a public program to glean the ultimate benefits from a bigger, more diverse community of hackers.

Going back to my second point, it isn’t just about finding the right hackers, it’s also about nurturing good relationships with them. By investing in your organization’s relationship with the hacker community, you’ll foster goodwill, more continuous testing, and attract more hackers to your programs. 

Ways to foster these relationships include responding to hacker submissions quickly, investing in a crowdsourced security platform with excellent triage capabilities, and offering program rewards within market ranges. 

How Bugcrowd can help

Crowdsourced security platforms like Bugcrowd make the unlikely romance between hackers and CISOs possible. By leveraging penetration testing as a service, vulnerability disclosure programs, and managed bug bounty programs, CISOs can expand their team’s reach, partnering with the hacker community as an extension of their team. 

The post The Unlikely Romance Between Hackers and CISOs appeared first on Bugcrowd.

In a recent conversation, we had the opportunity to speak with the Director of Cybersecurity at a leading data networking organization. Our discussion provided insights into their experience launching a Vulnerability Disclosure Program and shed light on the current threat landscape. 

This director is a winner of Cyber Defense Magazine’s 2023 Top Global CISO Award with over 19 years of experience in the IT security field. This Bugcrowd customer is a data networking hardware leader that strives to build the world’s most reliable, innovative, future-ready wireless technologies that securely connect every person and everything, effortlessly.  

AI threats and the cybersecurity skills gap

We spoke to their director, who is seeing major changes to the threat landscape since the beginning of the pandemic, specifically in the complexity of security threats and the prevalence of automated and AI-based cyber threats. “As vulnerabilities and threats continue to increase and become more complex in the wake of AI-based cyber threats, security professionals need to upskill themselves in automation and AI-based technologies to tackle such threats,” they said. 

They also cite the cybersecurity skills gap as one of the top security risks impacting organizations at the moment. “We are at the cusp of an ever-changing technology landscape and evolving, sophisticated security threats. Without adequate cybersecurity skills, organizations are at a significant risk of getting compromised.” 

They predict the cybersecurity skills gap will continue to increase in the short term, but they aren’t without hope. “The security industry has been a pioneer in hiring people from diverse technology and education backgrounds, helping them train in cybersecurity skills to fix the hiring gap,” they said. They recommend that organizations focus on investing resources in their cybersecurity personnel to ensure they stay updated on the latest and greatest with respect to cybersecurity skills. “Cybersecurity upskilling should be one of the top business priorities in the organization.” 

Leveraging crowdsourced security to address the cybersecurity skills gap

Crowdsourced security is another way to address the cybersecurity skills gap, helping organizations connect with thousands of security experts around the world. The data networking organization decided to partner with Bugcrowd to establish a Vulnerability Disclosure Program (VDP) in order to help manage the vulnerabilities reported by the hacker community. With the help of Bugcrowd, they were able to put a structure to vulnerability submissions, helping them comply with security, compliance, and regulatory requirements. 

Beyond compliance requirements, they explored adopting a VDP because they wanted to do everything possible to proactively reduce risk exposure, innovating in security instead of just checking boxes. “We want to visibly demonstrate our commitment to security, building productive relationships with the hacker community. We want security testing and remediation to keep up with the pace of innovation,” they said. 

They chose to partner with Bugcrowd because it offers a multi-solution platform, extensive experience and a track record of fast triage response times, reporting and analytics capabilities, adoption and integration, and emphasis on long-term success. Looking forward, they intend to complement their VDP with other Bugcrowd products, including launching a Managed Bug Bounty program and utilizing Pen Testing as a Service. 

The post The Cybersecurity Skills Gap in a Changing Threat Landscape appeared first on Bugcrowd.

Offensive Security Defined 

In simple terms, offensive security involves testing an organization’s defenses by conducting simulated attacks to identify any weaknesses that can be exploited. The goal of offensive security is to discover vulnerabilities before malicious actors can exploit them, and to make necessary adjustments to improve security. It’s a proactive approach to cybersecurity that complements defensive measures like firewalls, antivirus software, and intrusion detection systems.

Offensive Security vs Defensive Security 

Defensive security is a reactive approach that focuses on securing an organization against potential threats. It often relies on securing the perimeter and applying established best practice in tactical areas like security hygiene, data handling, or access controls, as well as strategic considerations such as defense in depth or zero trust.

Offensive security is a proactive approach that turns theory into practice. It means looking at security as a problem to be solved, rather than an abstraction. The goal of offensive security is to actively identify and fix vulnerabilities before they can be exploited, often by applying creativity to an organization’s specific assets, practices, and subjective posture.

Both approaches are essential for a comprehensive cybersecurity strategy. However, the main difference is that defensive security is focused on preventing attacks, while offensive security is focused on finding and fixing vulnerabilities.

Types of Offensive Security

There are a number of approaches to offensive security: one common theme is that while they are supported by automation, human hackers play a crucial role. 

• Penetration Testing—Penetration testing, or pen testing, simulates an attack on an organization’s systems and networks, where experts find vulnerabilities by testing, often in line with defined methodologies. You also have the option of more sophisticated pen testing delivered as penetration testing as a service (PTaaS).
• Red Teaming—Red teaming began as a military exercise in the 1960s, where a group representing the Soviet Union would act as the “red team” in simulations against the US “blue team.” Similar to pen testing, red teams act as attackers to discover and exploit security vulnerabilities and weaknesses. Where pen testing typically takes place for a set time and draws more from methodologies and meeting compliance standards, red teaming is more flexible and tests processes and people as well as technology.
• Blue Teaming—Blue teams are the counterpoints to red teams, seeking to foil attacks during security exercises by playing defense. They focus on modeling threats and preventing incidents, as well as responding to incidents and countering attacks by the red team.
• Purple Teaming—Purple teams combine red teaming and blue teaming by breaking down silos and emphasizing communication while addressing security challenges. They focus on enabling collaboration between the two groups and synthesizing their skills and experiences. For more on applying the latest team colors to cybersecurity, take a look at our blog on the topic. 
• Social Engineering—Social engineering involves manipulating individuals or groups within an organization to gain access to sensitive information. It can target the whole range of human emotions and biases, and tactics might include sending texts or emails claiming to be from a trustworthy entity to acquire sensitive data (phishing), or even using recordings of crying babies to emotionally manipulate employees into sharing sensitive data.
• Managed Bug Bounty Programs—Bug Bounty Programs are initiatives that incentivize hackers to test digital assets and find vulnerabilities in exchange for financial rewards. By making these rewards proportionate to the criticality of the bugs submitted, they offer clear ROI to buyers while tapping into hackers’ offensive impulses in order to improve security.
• Vulnerability Scanning and Management—Vulnerability scanning involves using automated tools to scan an organization’s systems and networks to find vulnerabilities. While these scans are a useful component in the offensive security toolkit, they need further expert input in order to interpret results and ultimately resolve vulnerabilities.
• Attack Surface Management—Attack Surface Management (ASM) is the process of defining and cataloging an organization’s entire IT footprint, then rapidly identifying and prioritizing risks deriving from these assets. Because the vast majority of organizations’ assets are growing, it is often possible for shadow IT to grow with it, and ASM pairs advanced scanning software with recon experts to find every asset and deal with their associated risks.

What are the Benefits of Offensive Security? 

• Separates theory from practice

Traditional security focuses on best practice and builds defenses based on presumptions and expectations of how malicious actors would behave. Investing in offensive security is an opportunity to put these theories to the test and see how defensive measures hold up against active tests. It’s a way of stress testing any assumptions baked into your security, and potentially finding blind spots or gaps.

• Draws from established methodologies as well as the latest techniques

Offensive security covers the application of tried and tested methodologies, particularly in pen testing, as well as tapping into the latest innovations from emerging technologies and associated techniques. Bringing this range of knowledge to bear amounts to a comprehensive test of your security that can provide clear recommendations on handling vulnerabilities, as well as a confident assessment of your security posture.

• Ensures compliance in industries that require testing

Certain industries, such as financial services and defense, have high standards of regulation, which includes security. Companies operating in these sectors often need to demonstrate the use of offensive security such as pen tests to meet these requirements and assure regulators that security standards are being met, avoiding associated penalties.

• Provides rapid feedback on security posture and ROI

Security can be hard to define and benchmark, with Knightian uncertainty common and some risks difficult to quantify. Offensive security can offer quick feedback through testing, as well as providing clear ROI from spending on “pay for results” investments such as bug bounty programs.

• Creates a strong security brand by publicly following best practice

Some great minds have considered how to define security: it is a process rather than a destination, an emergent property rather than a characteristic. But we also believe that high quality security means engaging with the security community, which includes these thinkers as well as the hackers, testers, developers, and more. Investing in offensive security is a way to engage directly with some members of this community, but also a way to build a brand for taking security seriously. Like any brand this helps your relationship with stakeholders, including regulators, employees, prospective hires, and customers.

Offensive Security Frameworks 

Offensive security frameworks are methodologies that security professionals use to understand the tactics, techniques, and procedures (TTP) of cyber adversaries. These frameworks provide a structured approach to identify vulnerabilities, simulate real-world attacks, and develop strategies to mitigate potential threats. All frameworks provide valuable insights into attacker behavior, and they should be used together for the most comprehensive understanding of offensive security.

Three of the most widely recognized offensive security frameworks are the MITRE ATT&CK, Lockheed Martin Cyber Kill Chain, and the Mandiant Attack Lifecycle.

• MITRE ATT&CK—A globally accessible knowledge base of adversary tactics and techniques based on real world observations. This framework describes the actions that an attacker may take after gaining access to a system or network, and is divided into a series of matrices focusing on different environments. MITRE regularly updates the framework with new findings from cybersecurity research.
• Mandiant attack lifecycle—Also known as the Cyber Attack Lifecycle, this framework lays out the stages of an attack from the adversaries’ perspective. By understanding each stage, defenders can identify weak points in their security posture and implement necessary controls to prevent or disrupt attacks.
• Cyber Kill Chain—Developed by Lockheed Martin, this framework also provides a seven-part blueprint for the stages of an attack. By understanding the sequence of events in an attack, this helps organizations to implement appropriate countermeasures at each stage and ensures a comprehensive approach to security.

Offensive Security Tools

There are too many tools to cover in one post, but the below list includes some of the trusty hacker aids that are commonly used. It’s worth noting that many are open source, and ingenuity is more important to hackers than proprietary investments. 

• Sliver—Somewhere between a tool and a framework, Sliver is a highly configurable, open-source approach for post-exploitation use. Designed by Bishop Fox, it offers red teams capabilities such as defense evasion and privilege escalation.
• Metasploit—This robust open-source platform is beloved by hackers and used for developing, testing and executing exploit code against remote machines. Its modular architecture allows users to create custom modules, and its influence on offensive security even led one blogger to coin HD Moore’s Law that “Casual Attacker power grows at the rate of Metasploit”.

• Burp Suite—A comprehensive testing tool for web applications that enables testers to identify vulnerabilities in web applications. Burp Suite has a wide range of features and is considered to have a user-friendly interface.

• Nmap—This open-source utility for network discovery is used for port scanning and network exploration. As well as having a flexible feature set that allows it to be used by network administrators and red teams alike, it is also Hollywood’s favorite security tool and has had cameos in The Matrix Reloaded, Oceans 8 and Die Hard 4.

• Sn1per—An open-source tool for automating vulnerability scanning and penetration testing. This can automate fingerprinting, Google hacking and even brute-forcing.

• Cobalt Strike—Emulates tactics and techniques associated with quiet, long-term threat actors embedded in a network. This provides a range of capabilities including reconnaissance, delivering payloads and establishing command and control channels.
• ZAP—This open-source web application scanner was developed by the Open Web Application Security Project (OWASP) and is the world’s most widely-used security scanner. It acts as a proxy, capturing data in motion and determining how the application responds to possibly malicious requests.

TL;DR–Offensive Security

It is hard to know how good a new car is until you have taken it for a ride. Offensive security is the practical, hands-on approach to ensuring that the steps you are taking to protect your organization are paying off, and to finding any gaps or oversights across your estate. It tests your assets, your tools, your processes, and even your people. While it is necessary for compliance in some sectors, the main benefit is the practical benefits of knowing how your defenses stack up against attackers.

Investing in offensive security is a way of getting skin in the game and having an accurate assessment of security posture. The best way to start is by investing in crowdsourced security testing: this allows you to access offensive security while only paying for results. To see how Bugcrowd can help, take a 5-minute tour of the platform. 

The post What is Offensive Security? appeared first on Bugcrowd.

We’re absolutely ecstatic to release our flagship annual report: Inside the Platform: Bugcrowd’s Vulnerability Trends Report. You may remember this piece based on its previous name: Priority One. 

What is Inside the Platform?

Inside the Platform is a magazine-style piece that features an analysis of all the crowdsourced security vulnerability submissions handled through the Bugcrowd Platform in 2023. The report leverages these data to offer trends and insights for CISOs and security leaders. 

Specifically, the report looks at vulnerability submission data from every possible angle to attempt to predict the future of cybersecurity. In writing this report, we examined overall submissions, critical submissions, payout data, notable targets, VRT categories, and public vs. private programs. We also broke down the data into six key industry categories. Using this analysis, we forecasted trends and made recommendations on what levers to pull in a crowdsourced security program to achieve success. 

The report also includes qualitative interviews with Bugcrowd customers, thought pieces on the value of an open scope program and how different hacker roles contribute to crowdsourced security, social media spotlights, legal work being done to make hacking safer, and more. 

Key takeaways from Inside the Platform

The 12 articles that Inside the Platform are composed of are jam-packed with data, but here are five highlights:

1. Higher Rewards—The most successful programs were those that offered higher rewards (e.g., $10,000 or more for P1 vulnerabilities).
2. Open Scope—Programs with open scopes saw 10x more P1 vulnerability submissions than those with limited scopes. 
3. Vulnerability Submissions by Industry—The government sector experienced a 151% increase in vulnerability submissions and a 58% increase in the number of P1s rewarded in 2023 compared to 2022. 
4. P1 Payouts by Industry—The financial services industry and government sector offered the highest median payouts for P1 vulnerabilities ($10,000 and $5,000, respectively). 
5. AI—A new AI-related category was added to Bugcrowd’s Vulnerability Rating Taxonomy (VRT). This addition reflects the profound influence that AI has had and will have on the threat environment and the ways that hackers, customers, and the Bugcrowd triage team view certain vulnerability classes and their relative impacts. 

Where to find more information

The report is live! Keep an eye on our social media for breakdowns of the report from experts at Bugcrowd, plus a webinar later next month. 

The post Inside the Platform: Bugcrowd’s Vulnerability Trends Report appeared first on Bugcrowd.

AI changes the threat landscape, by a lot.

In my daily life as a Cybersecurity Solutions Architect, I see countless vulnerabilities coming into Bug Bounties, Vulnerability Disclosure programs, Pen Tests and any other form of intake for security vulnerabilities. AI has made it easier for hackers to find and report these things, but these are not the risks that break the major bones in our very-digital society. It’s (mostly) not about vulnerabilities in applications or services, it’s about losing the human factor and trust in digital media and the potential of loosing any privacy. Here is my forecast regarding the most prevalent and concerning challenges arising from artificial intelligence in the year 2024 and it’s not all about cybersecurity.

1. Deepfakes and their Scams

Many of us have seen the Tom Hanks deepfake where his AI-clone promotes a dental health plan. Or the TikTok video falsely presenting MrBeast offering new iPhones for only $2.

_Source

Deepfakes are now as easy to produce as ordering a logo online or getting takeout. There are a lot of sellers on popular gig-economy platforms, that will produce realistic enough looking deepfakes of anyone (Including yourself or any other person you have a picture, a voice or both of) for a few bucks.

Armed with that a threat actor can make any person including celebrities do anything. This ranges from promoting fake crypto-sites to altering history books. This is extremely critical, especially in a time, where we are rewriting history books for the better accuracy and not only from the winning party’s point of view.

Exhibit A: Below image took 1 minute to produce

_{Image composed by author with Midjourney.}

Their rise in usage has more than doubled in 2023 compared to 2022. And according to a 2023 report by Onfido, a leading ID verification company, there has been a staggering 3000% increase in deepfake fraud attempts this year as well.

With image generators and refined models, one is already able to create realistic verification images for any type of online verification all while keeping the original identifiers of that person intact (looks, bio-metrics, lightning and more) and without looking generic.

_{Image created by Reddit user _harsh_ with Stable Diffusion| Source}

Unsurprisingly the adult entertainment industry has rapidly embraced emerging technologies, leading to a troubling surge in the creation of non-consensual explicit content. Whatever you feed an AI it will create, much to the suffering of people not consenting to having their face and body turned into an adult film actor or actress. Tragically, this misuse extends to the creation of illegal and morally reprehensible material involving minors (CSAM). The ease with which AI can be used for such purposes highlights a significant and distressing issue with the unregulated usage of image generators.

On the more economic side of things, AI-Influencers are already replacing the human ones. No more influencer farms (a shame I know), as they might be too costly to operate, when you can achieve the same outcome and even more with just some servers with powerful GPUs.

Social selling factory in Indonesia

This is UGC industrial mass production. This is a freaking factory.

Selling things online is changing so fast. Everything is changing so fast.

This is unreal pic.twitter.com/8rig77MGuR

— Linus (●ᴗ●) (@LinusEkenstam) August 20, 2023

While this might not be as concerning on the first glance, the ability to have a non-person with millions of followers stating fake-news or promoting crypto-scams, Multi-Level Marketing schemes is just a post away.

While the use of convincing deepfakes in financial scams is still uncommon to this date, it will surge drastically with the rapid evolvement of models trained. And it will be more difficult to distinguish what is real and what not really fast.

2. Automation of Scams (Deep Scams)

Let’s talk more about scams because there are so many variants of them. And so many flavors of how to emotionally manipulate people into giving away their hard-earned money.

Romance-scams, fake online-shops, property scams, pig butchering scams, the list goes on and on — every single one of those will be subject to mass-automation with AI.

Romance Scams

A realistic photographic evidence of a spontaneous snapshot taken with a smartphone turns out to be just another fake generated image.

_{Image created by Reddit user KudzuEye | Source}

Tinder-Swindler style romance scams are skyrocketing and we can expect even more profiles of potential online-romances to be fully generated images and text messages.

Fake Online Shops

“Have you heard about the new Apple watch with holo-display? Yeah, pretty nice, and only $499 here on appIe.shop”

(notice the capitalized “i” instead of the l in apple”)

AI makes it easy to clone legit online shops, create ads of fake products, spamming social media and paid advertising services and rack in profits.

_{Image composed by author with Dall-E 3.}

A 135% increase of fake online shops in October 2023 alone speaks volumes on the effortless creation of such sites.

Property (AirBnB, Booking-sites) scams

Looking for a nice getaway? Oh wow, right at the beach, and look, so cheap at the exact dates we’re looking for — let’s book quickly before it is gone!

AirBnB scams like this one and others are on the rise. When you arrive at your destination the property does not look like the images advertised or doesn’t even exist at all. The methods are easy to replicate over and over again and platforms are not catching up fast enough in identifying and removing those listings. Sometimes, they don’t even care.

_{Image composed by author with Dall-E}

And it’s not all about creating realistic looking visuals, also text-based attacks too.

Let’s go back to the age-old “Nigerian-prince” or 419-scam. According to research done by Ronnie Tokazowski, the new-ish way of these scammers making bank is using BEC (Business Email Compromise) on companies or individuals.

For context: this usually involves using a lookalike domain (my-startup[dot]com instead of mystartup[dot]com) and the same email alias as someone high up in the company asking another person in the company to transfer money or gift cards on their behalf.

Which is a pretty and low level point of entry and can be scaled to an infinite amount of messages that all differ in language, wording, emotion and urgency with the help of Large Language Models (LLMs).

More distinguished threat actors could try matching the style and wording of the person that actor is impersonating, automate the domain registration, email alias creation, social media profile creation, mobile number registration and so on. Even the initial recon can be done by AI just by feeding it social profiles of the company or “About Us” pages, marketing emails, invoice gathering and much more. All until their model becomes a fully automated scam machine.

The inner workings of these so-called “pig butchering” scams are not only sinister and deeply disturbing. Reports suggest these operations are not only involved in regular and extreme criminal activities, but are also linked to severe acts of violence, including human sacrifices and armed conflicts.

In conclusion, the staggering efficiency that AI brings to any of these scams, properly 1000-folds it, only intensifies the situation for our society.

3. Privacy Erosion

George Orwell’s seminal dystopian novel “1984”’ was published seven decades ago, marking a milestone in literary history. The popular Netflix Series “Black Mirror” was released less than a decade. And it really doesn’t matter which one we take to compare the current state of AI Surveillance in the world — all under the cloak of security of the public. We have arrived at the crossroads and have already stared to take a step forward. In 2019 CARNEGIE reported a big surge of mass surveillance via AI technology.

_{Image courtesy of carnegieendowment.org | Source}

If you like to see an interactive world map of AI Global Surveillance (AIGS) data, you can go here.

By 2025, it is projected that the digital data will expand to over 180 zettabytes (180.000.000 terrabytes). This immense amount collected, particularly in the realms of mass surveillance and profiling of internet users and people just walking down the street needs to be put into a context for whatever analysts want to use it for — for good I assume of course. AI technologies are set to play a crucial role in efficiently gathering and analyzing vast quantities of data. It is true, a trained AI model is faster, cheaper and often better than a human in:

• Data collection (AI web scrapers automatically collect data from multiple online sources, handling unstructured data more effectively than traditional tools. It can also take thousands of video feeds to analyze all at once.)
• Data mapping (With the right training data mapping via machine learning can be a very fast process and relationships between entities are becoming apparent very rapidly)
• Data quality (Data collection and mapping are just the beginning; identifying errors and inconsistencies in large datasets is crucial. AI tools aid by detecting anomalies and estimating missing values accurately and much more efficient than any human)

But what are we talking about here? Tracking movements of terrorist and people that are dangers to society? Or are we just tracking everyone — just because we can?
> Already the latter.

Everyone in society plays their part too. Alongside the issue of external mass surveillance, there is a growing trend of individuals voluntarily sharing extensive details of their lives on the internet. Historically, this information has been accessible to governments, data brokers, and advertising agencies.

Or people with the right capabilities knowing where to look. ”Fun” fact, this video is 10 years old.

However, with the advent of AI, the process of profiling, tracking, and predicting the behavior of anyone who actively shares things online has become significantly more efficient and sophisticated. George Orwell might have been astonished to learn that it’s not governments, but consumers themselves who are introducing surveillance devices into their homes. People are willingly purchasing these devices from tech companies, effectively paying to have their privacy compromised.

“Alexa, are you listening?”

Imagine funneling an array of all this data, dump it into a trained model that profiles a person based on purchase history, physical movements, social media posts, sleep patterns, intimate behaviors and more. This level of analysis could potentially reveal insights about a person that they might not even recognize in themselves. Now, amplify this process to encompass a mountain of data on countless individuals, monitored through AI surveillance, and you could map out societies. What was once possible for governments or Fortune500 companies, becomes available to the average user.

With ease, the concept of the “Glass Human” — an individual whose life is completely transparent and accessible — is closer to reality than ever before, representing a scenario where individuals are transparently visible and easily analyzed in great detail.

4. Automation of Malware and Cyberattacks

Every malware creator’s wet dream is the creation of self-replicating, auto-infecting, undetectable malicious code. While the automation part came true a long time ago, the latter is now a reality as well.

It’s not difficult to imagine that such technology may already be deployed at a scale by ransomware groups and Advanced Persistent Threats (APTs). With evasion techniques that is making recognition and detection of harmful code an impossible task for tradition defense methods. Meaning, we already have code that is replicating itself into a different form, with different evasion techniques on every machine it infects for a few months now.

Personally I believe that by the end of writing this article, we already have above deployed and working in the wild.

In the realm of cyber-attacks, the sophistication is increasing rapidly with the help of LLMs, but also the possibility to launch multiple attack-styles all at once to overwhelm defense teams is not a far-fetched scenario anymore.

Instead of trying to tediously find a single vulnerability to gain access into a company’s application or chain multiple together, threat actors can launch simultaneous attacks at once to see which one works best and leverage the human factor to gain access or control.

Picture a multifaceted cyber-attack scenario:
A company’s marketing website is hit by a Distributed Denial of Service (DDoS) attack. Simultaneously, engineers working to fix this issue face Business Email Compromise (BEC) attacks. While they grapple with these challenges, other employees are targeted with phishing attempts through LinkedIn. Adding to the chaos, these employees also receive a barrage of Multi-Factor Authentication (MFA) spamming requests. These requests are an attempt to exploit their credentials, which may have been compromised in data breaches or obtained through credential stuffing attacks.

All these attacks can be coordinated simply by inputting endpoints, breach-data and contact profiles into a trained AI model.

This strategy becomes particularly alarming when it targets vital software supply chains, essential companies, or critical infrastructure.

5. Less Secure Apps

Speaking from years of experience: I can attest to a common trait among us developers: a tendency towards seeking efficiency, often perceived as laziness *coughs*. It comes as no surprise that the introduction of AI and Copilot apps made tedious tasks a thing of the past. However, an over-reliance on these tools without fully understanding their outputs, or how they fit into the broader context and data flow, can lead to serious issues.

A recent study revealed that users utilizing AI assistants tended to produce code that was less secure compared to those who didn’t use it. Notably, those with access to AI tools were more prone to overestimating the security of their code, aka blindly copy & pasting everything into their codebase.
The study also highlighted a different but crucial finding — users who were more skeptical of AI and actively engaged with it, by modifying their prompts or adjusting settings, generally produced code with fewer security vulnerabilities. This underscores the importance of a balanced approach to utilizing AI in coding, blending reliance with critical engagement. Simultaneously, these tools such as GitHub Copilot and Facebook InCoder have a tendency to instill a false sense of confidence among developers regarding the robustness of their code.

But what does that mean in an economy where Move fast and break things is still a common mantra among startups and established companies?
Yes exactly, we will end up with less secure products that have so many security issues, so many privacy flaws and an overall lack of care about users’ data.

In Summary

… we need to balance the scales!

We are at a crossroads in technological development, where the creations we bring to life must not only understand humanity but also align with its long-term interests and ethics (we also need better ethics to begin with). The stakes are incredibly high, as the potential benefits of these advancements could be the greatest we’ve ever seen, yet the risks are equally monumental.

Key to navigating this minefield is the preservation of privacy, which, with the right choices made today, can transition from being a historical concept to a fundamental, technologically and lawfully enshrined right.

To achieve this, there’s an urgent need for global collaboration among governments as well as economic and technological drivers. We need to form a comprehensive and inclusive council dedicated to overseeing AI ethics, laws, and regulations. This council must be diverse, representing various societal and cultural backgrounds and must have 0 financial interest to ensure that the development and use of AI is not dominated by any single culture or economic power, thus maintaining a balanced and equitable approach to technological advancement.

Do you have thoughts or questions about this article? Reach out to Matt!

The post The Most Significant AI-related Risks in 2024 appeared first on Bugcrowd.

As the growing conflicts between Israel and Hamas and Russia and Ukraine continue, there will be new risks from global threat actors. This will require preparedness on both sides for new asymmetric threats. These expanding threats in a volatile, noisy environment will be difficult to predict. I recommend security leaders insert the crowdsourced hacker mindset into their decision making to show how to prepare for the chaos coming when the threat actors do try to monkey with IT systems.

We can also expect the bar to lower for attackers, largely due to the availability of generative AI tools. In the past, knowledge was a barrier to entry for the attackers to get big outcomes. Now, generative AI has given them access to a lot of new tools and it has broadened the potential threat group. 

In using AI for defense, the challenge comes because prioritization is usually defined by the business leaders, not by the security practitioners. What we security folks feel is most urgent sometimes does not align with the company priorities, which creates a risk to the organization. Seen through that lens, our work around AI is to surface insights from the overall data set as it relates to risk. A vulnerability on its own is not good, but a vulnerability plus a real threat now makes it urgent. 

The Bugcrowd team compiled a few of my predictions for cybersecurity in 2024 into this handy infographic. I’d love to hear what is top of mind for you and your security team in the new year.

The post 2024 Cybersecurity Trends and Predictions appeared first on Bugcrowd.

Ethical hackers can help organizations improve the security of their networks, systems, and applications. In order to do this, ethical hackers are retained on contracts for outsourced traditional penetration testing, or, the new and more rapidly growing model for crowdsourced security penetration testing. In many instances ethical hackers will identify vulnerabilities based upon goodwill and without the expectation of remuneration for their services.

In order to be successful ethical hackers must take the perspective of malicious threat actors. Ethical hackers step into the shoes of threat actors and view an organization’s defenses from the perspective and mindset of a potential attacker. Ethical hackers must take active measures to probe cyberdefenses for vulnerabilities which would allow them to position a successful cyber attack. The success of ethical hackers in identifying vulnerabilities reduces or eliminates the potential opportunity for the next real malicious threat actor.

Interaction with ethical hackers must be subject to important ground rules agreed upon between the ethical hacker and the organization. The most important ground rules for engagement pertains will be established in a vulnerability disclosure policy.

What are the key components of a vulnerability disclosure policy?

Commitment.

The introductory section  provides background information on the organization and its commitment to security and more. This section explains why the policy was created and the goals of the policy. It is a statement of good will and encouragement – reporting vulnerabilities is of potentially high value. Vulnerability reporting can reduce risk and potentially eliminate the expense and damage to reputation caused by a successful cyberattack.

Safe Harbor.

This section explicitly declares the organization’s commitment not to take legal action for security research activities that follow a “a good faith” effort to follow the policy. The authorization and safe harbor clearly states that good faith efforts will not result in the initiation of legal action. The language recommended by CISA for government agency vulnerability disclosure policy authorization and safe harbor is: 

“If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and AGENCY NAME will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.”

Important Guidelines.

Guidelines further set the boundaries of the rules of engagement for ethical hackers. Guidelines may include an explicit request to provide notification as soon as possible after the discovery of a potential security vulnerability. It is common that exploits should only be used to confirm a vulnerability. Many vulnerability disclosure policies request that discovered exploits not be used  to further compromise data, establish persistence in other areas, or move to other systems.

Scope.

Scope provides a very explicit view of the properties and internet connected systems which are covered by the policy, the products to which it may apply, and the vulnerability types that are applicable. Scope should also include any testing methodologies which are not authorized. For example, it is most typical that VDPs don’t allow Denial of service (DoS or DDoS) attacks or attacks of a more physical nature such as attempting to access the facility. It is often the case that social engineering, perhaps through phishing, is also not authorized. Situations vary and it is important to spell out exactly what is permissible and what is not.

Process.

Process includes the mechanisms used by ethical hackers to correctly report vulnerabilities. This section includes instructions on where the reports should be sent. It also includes the information that the organization requires to find and analyze the vulnerability. This may include the location of the vulnerability, the potential impact and other technical information required to identify and reproduce the vulnerability. It also should include information about the timeframe for the acknowledgement of receipt for the report.

Best practice is to allow ethical hackers the option of submitting vulnerability reports anonymously. In this case the vulnerability disclosure policy would not require the submission of identifying information. 

Examples of Vulnerability Disclosure Policies

The Department of Homeland Security has published a vulnerability disclosure policy template: https://cyber.dhs.gov/bod/20-01/vdp-template/. The template spells out sections in a policy template for introduction, authorization, guidelines, test methods, scope, reporting a vulnerability, and the expectations and deliverables from both parties. 

Other examples of active vulnerability disclosure policies from both government and commercial enterprise referenced as examples include:

U.S. Department of the Interior  

• https://www.doi.gov/vulnerability-disclosure-policy 

U.S. Department of the Treasury

• https://home.treasury.gov/vulnerability-disclosure-policy 

U.S. Department of Health and Human Services

• https://www.hhs.gov/vulnerability-disclosure-policy/index.html 

U.S. Department of Education

• https://www.hhs.gov/vulnerability-disclosure-policy/index.html 

U.S. Department of Transportation

• https://www.transportation.gov/vulnerability-disclosure-policy 

U.S. Department of Justice

• https://www.justice.gov/jmd/vulnerability-disclosure-policy 

Bank of England

• https://www.bankofengland.co.uk/vulnerability-disclosure-policy

Deutsche Bank

• https://www.db.com/legal-resources/responsible-disclosure-process 

Saxo Bank

• https://www.home.saxo/legal/vulnerability-disclosure-policy/vulnerability-disclosure-policy 

Starling Bank

• https://www.starlingbank.com/security/disclosure/ 

Trade-offs in Disclosure Policy Definition

Responsible disclosure allows for the disclosure of a vulnerability only in a timeframe subsequent to the elimination of the vulnerability. Developers and vendors may need a considerable amount of time to patch the vulnerability. By limiting the information flow it can be argued that risk will be lower since less threat actors may be aware of the vulnerability. However all it takes is one motivated threat actor to discover the vulnerability on their own. In this scenario responsible disclosure may give knowledgeable threat actors more time to exploit the weaknesses and complete a successful breach. Vulnerability disclosure policies generally specify the need for responsible disclosure. Responsible disclosure is by far preferred by the impacted organizations.

Full disclosure is the other side of the spectrum. If an ethical hacker has done everything possible to alert an organization of a vulnerability, and has been unsuccessful, then full disclosure could emerge as an option of last resort.  Full disclosure pivots the playing field towards an assumption that there is always a threat actor that is aware of any vulnerability. Therefore the newly discovered vulnerability presents significant risk, and must be disclosed as early as possible. In this scenario the disclosure puts pressure on the affected parties to move rapidly to take necessary precautions. On balance, the use of full disclosure trades the risk of exploitation and wider investment in the vulnerability for wider research support and advanced preparation by cyber defenders. Decisions for full disclosure are usually made by the ethical hacker, but are not encouraged by the organization impacted. 

Framework Standards

ISO provides a guideline which shares excellent guidance on the disclosure of vulnerabilities in products and services. Vulnerability disclosure helps prioritize risk, better defend systems and data and supports the prioritization of cybersecurity investments. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. For more information please refer to https://www.iso.org/standard/72311.html. 

ISO also provides guideline https://www.iso.org/standard/69725.html which shares requirements and recommendations for how to process and remediate potential vulnerabilities. 

Vulnerability Disclosure Programs and Policies Bring Compelling Value

Bugcrowd connects companies and their applications to a Crowd of highly specialized network of security researchers. The Crowd can identify critical software vulnerabilities faster than traditional methods. Powered by Bugcrowd crowdsourced security platform, organizations of all sizes can run security programs to efficiently test their applications and remediate vulnerabilities before they are exploited.

Now that we’ve covered vulnerability disclosure policy, dive deeper into vulnerability disclosure programs in The Ultimate Guide to Vulnerability Disclosure. If you’re interested in setting up your own program, get started today. 

The post Vulnerability Disclosure Policy: What is It & Why is it Important? appeared first on Bugcrowd.

As software development gets faster and more opaque, security has become more important and more difficult, which has revealed the shortcomings of traditional security testing. This market need comes alongside technical developments that have led to innovation in cybersecurity, and in particular, the growth of the now-mature category of crowdsourced security.

What is crowdsourced security?

Crowdsourced security is an approach to securing digital assets that leverages the collective skill and experience of ethical hackers to tap into the wisdom of the crowd, where large and diverse groups can make discoveries more effectively than individuals.

These hackers are given direction, scope, and sometimes financial incentives to identify and report vulnerabilities, or bugs, simulating techniques used by threat actors. Owners of these digital assets will then remediate the issue and offer public recognition for the hacker’s work (in the case of a vulnerability disclosure program) or financial rewards corresponding to the criticality of the bug (in the case of a bug bounty program).

Investing in crowdsourced security testing means tapping into the breadth of the world’s talent and all of the talent, experience, and cognitive diversity that comes with it. Here are just some of the benefits that it provides.

What are the types of crowdsourced security solutions?

The most common crowdsourced security solutions are Vulnerability Disclosure Programs (VDP), Bug Bounty Programs, and Penetration Testing. 

• • VDPs—VDPs are a framework put in place by organizations to encourage hackers to share any vulnerabilities they discover with the asset’s owner. They offer safe harbor clauses that provide legal protection to good faith hackers, and should also offer public disclosure of valid submissions to acknowledge the help provided by hackers who take the time to help with security.
  • Bug Bounty Programs—Bug Bounty Programs are security initiatives that incentivize hackers to find and report vulnerabilities in an organization’s products and digital infrastructure. These programs lay out the scope of the asset that is open to testing, and offer financial rewards based on the criticality of bugs that are discovered and shared. Managed bounty programs have been around in this form since Casey Ellis founded Bugcrowd in 2012, and they are the crowdsourced security that hackers engage with the most. 
  • Penetration Testing—Pen testing is a simulated cyberattack carried out by an authorized third party (known as pen testers) who tests and evaluates the security vulnerabilities of a target organization’s computer systems, networks, and application infrastructure. 

There are also technical forms of crowdsourced testing such as attack surface management, where specialist hackers are tasked with defining a company’s network, finding shadow and legacy IT in the process. Hackers deploy automated tools and human ingenuity prioritize an organization’s assets in terms of risk, whether it is AWS buckets holding vital data, a poorly configured IoT toaster that came with an acquisition, or the CEO’s laptop. The skillset required for high-quality attack surface management is rarely found in generalist security professionals, so crowdsourced solutions often make the most sense economically. 

Who performs crowdsourced security testing?

Crowdsourced security testing draws from hackers from around the world. For Bugcrowd, this means “The Crowd”; a community of security experts who dedicate themselves to finding and fixing security vulnerabilities. 

The range of hackers involved in crowdsourced testing can vary based on the nature of the client and what they are testing. With VDPs, hackers self-select by finding and submitting bugs informally. In contrast, selection for Bug Bounty Programs can range from public programs open to every member of The Crowd, to private programs limited to experts with the highest form of security clearance. Attack surface management tends to be performed by specialists who bring expertise in scanning technologies to the table, alongside deep knowledge of network risks. 

How much access is given to crowdsourced hackers?

In theory all assets can be improved by crowdsourced security testing, but in practice scope of access varies between assignments and types of testing. For VDPs an organization’s entire assets are considered in scope unless otherwise stated, whereas bug bounties tend to focus more on specific products or infrastructure. Access tends to be based on budget and capacity – buyers will prioritize assets based on budget for incentives and internal capacity to remediate bugs. 

The limitations of traditional security testing

Traditional security testing methods, such as in-house penetration testing (pen testing) or automated vulnerability scanning, have limitations. Some of the issues of traditional security testing include: 

• Time-consuming
• Expensive
• Cumbersome delivery
• Poor security ROI
• Difficult to scale
• Delayed results
• Questionable skill fit
• Checklist-focused
• Lack of ingenuity
• No progress visibility
• Siloed and inactionable
• Low impact

Traditional security measures remain crucial and are not going anywhere. Best practice in patching, access controls, firewalls, and other elements of security hygiene remain a core necessity to keeping data safe. But when it comes to identifying and tackling sophisticated threats, traditional security testing has its limits.

While some security testing should always remain in-house, you should not be limited to this approach to securing data. We live in a digital age of abundance, and this should be seen as an asset to your security rather than just a source of threats.

What are the benefits of crowdsourced security testing?

Larger testing pool

Crowdsourced testing brings more brainpower to the task of securing your assets. Back in the late nineties, Eric S Raymond suggested that “with enough eyes, all bugs are shallow.” Since then, the amount of eyeballs that can be turned to finding bugs has increased dramatically, and this increase in supply provides a better quality of security testing.

As well as the weight of numbers, “The Crowd” brings diversity of outlook, approach, and experience. Internal testers will be limited to their own expertise when assessing vulnerabilities and threats, but crowdsourced security draws from hackers of different ages and backgrounds living all over the world. Bringing this formidable group together provides far more creativity and more comprehensive testing to your security needs.

Cost-effective testing

Over a hundred years ago, US retail magnate John Wanamaker complained that half the money he spent on advertising was wasted, but he didn’t know which half. Until recently, something similar could be said of security investment, with money spent by Chief Information Security Officers (CISOs) often lacking a clear read-through to a company’s bottom line.

Crowdsourced security is part of the solution to this, by offering financial incentives to hackers based on the criticality of the bugs that they uncover. In the past, you had to pay for testing and hope for results. Now, the testing takes place in the background so your in-house security team can focus on strategic initiatives.

Reduced risk of bias

In traditional security testing, internal and even external testers may have a bias for the technology, tactics, techniques, and procedures with which they are most familiar. When picking from a limited pool of talent, you are bound to have blindspots, even with the most brilliant individuals. This is especially true for new and emerging technology and techniques.

With crowdsourced testing, market conditions incentivize diverse approaches by rewarding the results they produce, and this eliminates any potential biases. Hackers from different jurisdictions will have more exposure to new technology, and will bring a mindset that challenges any status quo in security testing. No small team can cover the range of cognitive diversity and technical experience that The Crowd brings.

Coverage around the clock

Malicious actors are geographically distributed across time zones and don’t work conventional 9-5 hours. This has caused headaches for CISOs and executive teams facing breaches and urgent vulnerabilities overnight and at weekends, who often struggle to find the resources needed to deal with a threat.

Crowdsourced security taps into distributed security talent to turn this from a weakness to a strength. By investing in crowdsourced testing, you will have all of the capacity that you could need, when you need it. This allows you to access round-the-clock security testing from hackers. Organizations like Bugcrowd also include validation and triage services from a global team of experts, handling the most critical submissions within hours. This allows your team to quickly remediate and resolve vulnerabilities using critical context, helping you focus on what’s most important.

The ability to scale up testing capacity is not just useful out-of-hours. Sometimes vulnerabilities will emerge in software that is of critical importance to your business, and in these situations finding and fixing vulnerabilities becomes an urgent priority.

Investing in crowdsourced security lets you apply a lot of talent to this problem far more quickly than traditional security testing would allow. When the Log4J vulnerability emerged in December of 2021, Bugcrowd’s platform saw an enormous spike in activity, allowing buyers to remediate their most critical vulnerabilities in under three hours. This ability to scale capacity to meet emergent threats is an advantage of crowdsourced security over traditional testing.

Building relations with the hacking community

Crowdsourced testing is an effective approach to security, and this is known and respected by hackers and the wider security community. By investing in this approach to testing, you win respect within the industry that creates a virtuous cycle, making the best hackers more inclined to work with you.

This respect can extend to attracting talent, as it puts your company on the radar for security professionals eager to work in organizations that embrace best practice and work with the world’s best hackers. It can even extend to software developers and other technology professionals adjacent to security.

What are the pros and cons of crowdsourced security testing?

Summary—The Benefits of Crowdsourced Security Testing

We live in a world of digital abundance, and securing data and infrastructure means making this work for you rather than against you. Crowdsourced security offers you access to The Crowd’s diverse skillset, with collective experience of solving more problems than any individuals can even comprehend. 

By opting to pay for results instead of time, you can get the benefits of this hive mind while sticking to a reasonable budget. This is hard for those whose spending is restricted to traditional security services, or who struggle to unlock the potential for crowdsourced testing. Crowdsourced testing requires a new business case, but one that is necessary for today’s threats. 

Crowdsourced Security and the Bugcrowd Platform

Bugcrowd has been a pioneer since it was founded as the first crowdsourced security testing platform back in 2012. We offer testing such as bug bounties, pen tests, vulnerability disclosure programs, and more at scale and in an integrated, coordinated way.

Our platform includes access to a team of global security engineers who work as an extension to the platform, triaging and validating submissions so that the most critical bugs can be resolved within hours. 

To see what crowdsourced security testing looks like in practice, take a 5-minute tour. This overview shows how the Bugcrowd Platform connects you with trusted hackers to help you take back control and stay ahead of malicious actors. 

The post The Power of Numbers: Benefits of Crowdsourced Security Testing appeared first on Bugcrowd.