Security professionals are familiar with penetration testing, or pen testing, a service where external consultants mimic real-world attacks to identify security vulnerabilities and weaknesses.

Companies work with pen testing firms they know and trust, testers work to established methodologies for a fixed period, and tests take place at wide intervals, often annually. Testers surface their results in a report and these weaknesses get fixed, so over time fewer results are exposed and the process becomes more routine.

Security used to be a top-down process, where a small number of experts would evaluate and test assets for vulnerabilities before they shipped. Traditional pen testing was a good fit in this environment—external experts simulated the worst of what your company could expect to encounter, and shared findings in a report that you could implement in your own time.

Why is traditional pen testing no longer suitable?

• Limited talent pool: Traditional pen testers were drawn from a small pool of available professionals. This made them limited in the tactics and techniques that they could execute on.
• Speed of implementation: Pen testers will schedule assignments weeks or even months in advance, with the report coming days or weeks after the assignment is complete. This leaves potential risks exposed for too long.
• Remote working: Today’s threat perimeter has expanded beyond the physical boundaries of the organization. Traditional pen testing often focuses on on-site infrastructure, and may overlook threats emerging in a distributed network.
• Scaling issues: Traditional pen testing services operate with one or two testers, and may not scale well to match the growth of your organization. As your business grows, so does your infrastructure, and a yearly pen test may not be sufficient to cover all assets.
• Noisy, inactionable results: Traditional pen tests can take weeks or months to complete, with no access to findings until the final report. Often, remediation steps are unclear.

Today’s security landscape looks a lot different from the one that gave us traditional pen testing. Your organization’s technology stack has a multitude of tools, your perimeter stretches to coffee shops and home networks, and your data is of value to malicious actors in every time zone. That’s before we even get started on any products you might be building.

Pen testing as a service (PTaaS) is an upgrade to the testing playbook. It uses today’s technology and security best practices to secure the modern environment.

PTaaS Explained

In its most basic form, PTaaS is a new wrapper and delivery method for an established service. This makes the process of ordering and implementing a test easier, by speeding up onboarding and implementation while saving money in the process. 

By making pen tests digital-first, PTaaS unlocks remote-testing, widens the potential bench of testers, and allows for integration into the SDLC, streamlining delivery and making reporting and remediation far easier. 

What Does Best Practice PTaaS Look Like?

Dealing with distributed, complex threats means relying on distributed, specialist talent. PTaaS done to the highest standards requires a new take on the pen testing consulting assignment that offers the benefits of a platform-based approach to the task while tapping into a worldwide supply of testing talent. This crowdsourced PTaaS allows you to quickly launch tests with specified requirements, getting to work within days and working according to your specific security needs.

Moving from pen testing to crowdsourced PTaaS means allowing the breadth of security complexity to work as an asset rather than a liability. When working with a crowdsourced PTaaS provider there is the potential to tap into a bench of testers drawn from across the world, but only if they offer a deep bench and discerning methodology to match them. When done right, it gives you access to testers with narrow expertise in specific assets or methodologies, or particularly impressive track records,  but beware of crowd washing.

PTaaS that properly deploys The Crowd taps into the bottom-up dynamics, surfacing the most relevant talent through Darwinian competition and sophisticated algorithms. Testers build a name from themselves through their work, and providers use this data to match the most appropriate testers for your needs in each assignment.

Threats are online and constantly evolving—security needs to be the same. Using crowdsourced PTaaS is like moving from relying on encyclopedias to drawing from Wikipedia, with the best performers rising to the top and readily available for assignments.

What are the Benefits of PTaaS?

PTaaS offers three key strengths relative to the traditional method.

1. Speed: In security, risk is a function of time as well as criticality. PTaaS is faster at initiating assignments and delivers continuous results to quickly catch and resolve threats.
2. Savings: By offering testing that is aligned with your needs and integrating findings quickly and effectively, PTaaS gives you more bang for your buck and helps your budget go further.
3. SDLC: Testing is only part of what you want from an assignment—remediating risks that emerge is the important part. PTaaS integrates with the SDLC to resolve risks where they emerge, rather than creating a new workflow to implement static findings.

How Does PTaaS Differ from Traditional Penetration Testing?

What to Look For in a PTaaS Platform

At the risk of stating the obvious, PTaaS providers should be able to deliver high-quality testing, and do so through a service that is convenient and minimizes friction. There are a few elements that make sure PTaaS adds the most value.

• Pentester bench: More selection among testers is what draws many buyers to PTaaS, and you should choose a provider that maximizes this strength. This is also a vote of confidence in the platform, as providers that attract more hackers tend to run more professional, advanced platforms.
• Skill set diversity: Of course, higher numbers only means higher value if they bring more diversity in approaches, skill sets, and mindsets among testers. Look at the professional background available—the more languages, technical skills, experience, and outlooks present among testers, the more likely they are to find new and relevant vulnerabilities. 
• Testing clearance: If you’re testing sensitive assets that require security clearance, then you’ll need a provider who supports this. Look for a range of qualified testers, a platform that complies with the specific needs of your program, and a provider with a track record of similar assignments.

• Data-driven pentester selection: A large, diverse pool of testers with advanced capabilities is only useful for you if you’re able to find the right team for the job. Providers should prevent the paradox of choice by using algorithms or AI to match you with the most appropriate testers for your needs. 
• SDLC integration: Tightening the loop between identifying vulnerabilities and remediating them speeds the process up and reduces costs. This should happen at the back end by integrating the fixes directly into the SDLC, as well as offering the potential to  incorporate the outputs from bug bounty programs, vulnerability disclosure programs and other crowdsourced security measures with pen tests to provide a more consolidated service. 
• Platform reporting: PTaaS can provide more data than traditional testing, allowing you to clearly calculate return on investment. Providers should present all data from tests in real-time and make this accessible for you in an efficient format. 

Summary—Penetration Testing as a Service

PTaaS harnesses the power of a diverse group of professional hackers to substantially improve on the traditional pen testing model. By increasing the pool of testers and providing the functionality of a platform, it offers better results, finding and remediating vulnerabilities more quickly while offering more data that can allow you to calculate ROI. In sum, PTaaS provides a comprehensive, adaptable, and efficient approach to system security.

Overview of Bugcrowd PTaaS

Bugcrowd has been offering PTaaS since 2022 as part of the Bugcrowd Platform. This builds on our expertise as the first company to offer a managed bug bounty program, and includes a rich dashboard with real-time access to test status, analytics, findings, and methodology.

Our proprietary CrowdMatch AI technology finds precisely the right testers based on parameters such as skillset, track record, and security clearance. You can buy, configure, and launch a pen test delivered by global experts matched to your precise needs in hours rather than days and receive results instantaneously. You can also combine pen tests with bug bounties for further security coverage that taps into the Crowd for security expertise.

PTaaS Resources

• Penetration Testing 101 Guide
• The Trouble with Traditional Penetration Testing Infographic
• Penetration as a Service Webinar
• Penetration Testing as a Service Data Sheet
• SANS Penetration Testing as a Service Product Review
• Penetration Testing as a Service Done Right eBook
• Penetration Testing Explained

The post What is Penetration Testing as a Service? appeared first on Bugcrowd.

Penetration Testing Explained

Penetration testing is a methodical process of evaluating the security of a system by attempting to exploit its vulnerabilities and weaknesses. In other words, it’s legal hacking designed to help organizations identify and address potential security risks before threat actors can take advantage of them first.

In this article, we will explore the fundamentals of penetration testing and discuss everything you need to know to get started.

What are the Benefits of Penetration Testing?

Penetration testing offers several benefits:

• Identifying vulnerabilities: By conducting penetration tests, organizations can identify vulnerabilities and weaknesses in their systems or networks that could be exploited by hackers.

• Evaluating security controls: Penetration testing allows organizations to evaluate the effectiveness of their existing security controls and identify areas for improvement.

• Mitigating risks: By addressing vulnerabilities identified during penetration testing, organizations can reduce the risk of potential security breaches and unauthorized access.
• Compliance requirements: Many industries have regulatory requirements that mandate regular penetration testing to ensure the security of sensitive data.

How Does Penetration Testing Differ from Automated Testing?

Penetration testing and automated testing serve different purposes. While automated testing like scanning focuses on identifying known vulnerabilities and conducting routine checks, penetration testing simulates real-world attacks to identify both known and unknown vulnerabilities. Therefore, penetration testing provides a more comprehensive assessment of a system’s security posture. In some cases, regulatory bodies will mandate penetration tests over automated scanning.

What are the Pros and Cons of Penetration Testing?

Who Performs Penetration Tests?

Penetration tests are performed by internal teams or external providers, both of which encompass professional pentesters or trusted hackers.

How Much Access Is Given to Pentesters?

The level of access given to pentesters varies depending on the scope of the engagement. Organizations may provide pentesters with limited or full access to simulate a real-world attack scenario. The level of access is also determined by the goals and objectives of the penetration test.

What Are the Types of Penetration Tests?

There are various types of penetration tests:

• Network Penetration Testing: This type of test focuses on assessing the security of a network to identify potential weaknesses in the network infrastructure and to ensure that effective security measures are in place.

• Web Application Penetration Testing: This test evaluates the security of web applications by identifying issues such as injection attacks, cross-site scripting (XSS), and insecure configurations. The results help mitigate unauthorized access and data breaches.

• API Penetration Testing: This test examines the security of application programming interfaces (APIs) by identifying vulnerabilities and potential attack vectors. It ensures that APIs are secure and protected against threats such as unauthorized access, data leakage, and denial-of-service attacks.

• Cloud Penetration Testing: This test focuses on assessing the security of cloud infrastructure and services by identifying potential vulnerabilities and misconfigurations. Such tests are conducted to ensure that sensitive data stored in the cloud are adequately protected and that access controls are properly implemented.

• Mobile Penetration Testing: This test evaluates the security of mobile applications by identifying issues that could compromise user data or device functionality. These tests are pivotal in ensuring that mobile apps are secure against various threats, such as data leaks, unauthorized access, and malware.

• IoT Penetration Testing: This test is conducted to secure Internet of Things (IoT) devices and networks, which often fall prey to unauthorized access and other attacks that compromise the integrity of IoT systems. Such tests help ensure the security and privacy of Internet-connected devices and their users.
• AI Penetration Testing: This specialized test focuses on the security of AI systems, including the Large Language Models (LLMs) used in conversational AI tools. Aside from identifying potential vulnerabilities, such tests can also be conducted to determine biases in a model’s behavior, ensuring the responsible and secure use of AI technology.

What Happens During a Penetration Test?

A typical penetration test involves the following steps:

• Planning and reconnaissance: This initial phase involves organizations defining the objectives and scope of the test, including the systems to be assessed and the testing methodologies to be employed. It also entails gathering intelligence and information to enhance pentesters’ understanding of the target’s functioning and potential vulnerabilities.

• Vulnerability identification: During this stage, the pentester focuses on identifying weaknesses and vulnerabilities within the target system or network.

• Exploitation: Leveraging the vulnerabilities they have identified, the pentester attempts to exploit them to gain unauthorized access or perform specific actions. This stage involves utilizing web application attacks, such as XSS, SQL injection, and backdoors. Pentesters then strive to escalate privileges, steal data, intercept traffic, and more to assess the potential impact of the identified vulnerabilities.

• Post-exploitation: If the pentester successfully gains access, they may further explore the compromised system or network to gather additional information or escalate their privileges. The objective is to determine whether any given vulnerability can enable a persistent presence within the exploited system, mimicking advanced persistent threats that often remain undetected for extended periods. The goal of such threats is usually to exfiltrate an organization’s most sensitive data, meaning it is critical that pentesters carry out this step.
• Reporting: The pentester finally documents their findings and prepares a comprehensive report for an organization, which includes detailed recommendations for enhancing security.

The results of a penetration test typically include:

1. Specific vulnerabilities that were exploited.
2. Sensitive data that were accessed.
3. The duration of undetected access.

What Are the Most Common Penetration Testing Tools?

Penetration testing tools encompass various categories:

• Open source
• Web app, network, cloud, wireless, or mobile penetration testing
• Hardware testing
• Social engineering

Every tool possesses distinct features and capabilities, making them indispensable elements of any comprehensive penetration testing toolkit.

Open Source Penetration Testing Tools

Nmap: Also known as a network mapper, Nmap analyzes packet responses to map the target network. It helps identify available hosts, services, operating system details, open ports, and potential network vulnerabilities. Nmap is supported by Linux, Windows, and macOS, offering various scan types, from simple port scans to advanced vulnerability scans. It can be used with tools such as Metasploit for automated vulnerability exploitation.

OWASP ZAP: OWASP ZAP is a versatile web app security testing tool. It scans and analyzes responses from target apps, identifying potential vulnerabilities like SQL injection, XSS, and buffer overflow attacks. OWASP ZAP supports passive and active scans, providing an easy-to-use GUI, an intercepting proxy, automated scanners, and plug-ins. Like Nmap, OWASP ZAP works on multiple platforms.

Metasploit: Metasploit offers a comprehensive suite of tools, including an extensive database of exploits and vulnerabilities, for identifying weaknesses in a target system. Its user-friendly interface is ideal for developing and executing exploits, as well as for performing auxiliary tasks like fingerprinting, reconnaissance, and vulnerability scanning. Metasploit seamlessly integrates with other tools and frameworks, such as Nmap and Burp Suite, providing a comprehensive arsenal of penetration testing capabilities.

WPScan: Developed for WordPress, WPScan has a comprehensive database of known vulnerabilities and weaknesses. It can identify usernames, weak passwords, insecure plugin versions, and vulnerable themes. WPScan is a command-line tool with automation capabilities, making it suitable for use in large-scale testing. It is regularly updated to include the latest vulnerabilities.

Web App Penetration Testing Tools

Nikto2: Nikto2 is an open source web server scanner. It excels at identifying outdated software versions, insecure configuration settings, and XSS vulnerabilities.

BurpSuite: BurpSuite is a widely used tool that offers various features, including a proxy server, scanner, intruder, and repeater, making it versatile for comprehensive testing. The proxy server allows users to intercept and modify browser–server traffic, while the scanner automatically detects and exploits vulnerabilities in web applications or APIs. BurpSuite also seamlessly integrates with tools like Metasploit and Nmap, and it comes pre-installed in Kali Linux.

Network Penetration Testing Tools

Wireshark: Wireshark, a popular open source network protocol analyzer, captures and analyzes network traffic across different operating systems. Its real-time packet inspection and filtering features enable focused investigation and enhance analysis efficiency.

Cloud Penetration Testing Tools

ScoutSuite: ScoutSuite is a popular tool used to scan cloud environments for vulnerabilities and misconfigurations. It effortlessly works across AWS, Azure, and GCP in analyzing virtual machines, databases, and storage buckets. It also evaluates compliance with security best practices.

CloudMapper: CloudMapper is an open source cloud security tool that creates detailed visual maps of cloud infrastructure. It identifies security risks and potential attack paths, as well as provides a holistic view of resource relationships. CloudMapper also generates reports with recommendations for addressing vulnerabilities.

Prowler: Prowler is an open source AWS security tool that audits AWS accounts for security best practices. It checks compliance with industry-standard security frameworks like NIST, CIS, and PCI DSS and generates comprehensive audit reports.

Wireless Penetration Testing Tools

Aircrack-ng: Aircrack-ng provides a complete toolkit for monitoring and analyzing network traffic. It is also used to crack passwords to wifi networks that use weak encryption. This open source solution identifies vulnerable access points, monitors network traffic, and tests network security.

Kismet: Kismet offers real-time detection and analysis of wireless network traffic. It provides valuable insights into SSIDs, MAC addresses, signal strength, and more. Pentesters can easily uncover and identify rogue access points, network misconfigurations, and hidden wireless networks with advanced capabilities.

Mobile Penetration Testing Tools

Frida: Frida is a powerful tool for reverse engineering and debugging Android and iOS apps. It enables pentesters to intercept network traffic, manipulate binary code, and alter the behavior of the target app.

Hardware Penetration Testing Tools

Proxmark3: Proxmark3 is an open source hardware tool used in RFID research and testing. It can read and emulate different types of RFID cards and tags, perform wireless analysis, and clone RFID devices. This versatile tool allows pentesters to simulate various attacks, such as replay attacks and man-in-the-middle attacks[.1] , on RFID systems to assess their security.

Social Engineering Penetration Testing Tools

The Social Engineer Toolkit (SET): The Social Engineer Toolkit (SET) is an open source tool that allows users to generate various social engineering attacks, including spear-phishing and credential harvesting. It also provides features for email spoofing, SMS spoofing, and geolocation spoofing. It integrates seamlessly with the Metasploit framework, enabling pentesters to deliver payloads and exploit vulnerabilities effectively.

What Vulnerabilities Can Penetration Tests Uncover?

The findings of a penetration test are unique to each engagement, but recent examples include:

• CVE-2023-027350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.
• CVE-2023-34362: A SQL injection vulnerability was found in the MOVEit Transfer web application that could allow an unauthenticated attacker to access MOVEit Transfer’s database. Depending on the database engine being used, an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
• CVE-2023-26360: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. 

What Happens After a Penetration Test?

After a penetration test, the organization receives a detailed report from the pentester. This report includes a summary of the findings, identified vulnerabilities, and recommendations for improving security. The organization can then prioritize and address the identified vulnerabilities to enhance its overall security posture.

TL;DR—Penetration Testing

Penetration testing plays a pivotal role in safeguarding the security of systems and networks. By identifying vulnerabilities and weaknesses, organizations can take proactive measures to reduce the risk of potential security breaches. Regular penetration testing empowers organizations to stay ahead of threat actors and safeguard their valuable data and assets, allowing them not only to protect their brand but also their intellectual property.

Penetration Testing Resources

• Penetration Testing Done Right eBook
• Bugcrowd Penetration Testing as a Service
• Bugcrowd Penetration Testing Information Page

The post What is Penetration Testing? appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

Now, we’re taking our PTaaS vision one step further: Starting immediately, you can buy, configure, launch, and see real-time results from a human-driven Bugcrowd Standard Pen Test–with a pentester team matched to your precise needs–via a few clicks. No more sales calls, scoping calls, and other backs-and-forths that delay your pen test launch. Instead, thanks to new capabilities in our platform, you’ll cut setup time from days to hours, start seeing prioritized findings in a rich Pen Test Dashboard fast, and get a final report within days of test completion. That’s how pen testing should work!

To give you a flavor of how easy this is, we’ve captured a couple steps in the brief demo below:

The Need for Standards

Why have we taken up this mission? Because everyone in the industry knows that the penetration testing experience for buyers and pentesters alike needs an upgrade. Traditional penetration testing has roots in consulting, so buying, scoping, sourcing pentesters, and report delivery depend on numerous manual, ad hoc interactions that delay what everyone wants: results. Too often, other PTaaS providers rely on automated, low-impact testing to streamline this process, while leaving the procurement and setup process largely manual–giving buyers the worst of both worlds.

Instead, we believe the solution to this problem is to standardize how human-driven, high-impact pen testing is delivered for common asset types, just like the construction industry adopted standards to make it faster and easier to build things at scale. That standardization is what makes it possible for us to orchestrate the setup process in software, for customers to buy Bugcrowd Standard pen tests in three sizes for external web apps or networks (with access to exactly the right pentester skills), and to easily organize and manage multiple pen tests in groups. Our platform’s unique ability to crowd-source the right pentesters for the job (CrowdMatch^TM) based on data, and rotate them on demand, is special value in the bargain.

Clear Choices

So what does this development mean for the pen testing industry? The way we see it, the choices are clearer than ever:

With this announcement, we’ve transformed the pen test experience from procurement through report delivery, but we won’t stop there. In the future, we’ll expand the types of pen tests that can be purchased and set up online and make it even easier to clone, organize, and manage pen tests and other programs on our platform.

In the meantime, buy and set up a Bugcrowd Standard Pen Test that’s “just right” for your external web app or network with just a few clicks! And if you’re attending RSA Conference in San Francisco next week (April 24-27), visit us at Booth #2438 or schedule a 1:1 to learn more. Read more about our Pen Testing as a Service announcement here. 

The post Standard Pen Tests Are Now Just A Few Clicks Away appeared first on Bugcrowd.

When evaluating the value of crowdsourced security, many people focus on the number of researchers who will be focused on your targets. While this is a logical approach, it’s just as important to consider the diversity of perspectives that a “crowd” can provide. For example, in a traditional penetration test, the findings usually reflect the perspective of a single “type” of tester (more on that below) –and that produces results aligned with that, albeit ones that conform to a methodology. In contrast, a genuinely crowdsourced pen test (not a “crowd-washed” one) inherits value from the full range of thoughts, approaches, and styles that only a crowd can provide–and that enables more comprehensive, intense testing to find more diverse types of bugs. Furthermore, it’s a strong signal that “pay for effort” (typical of an industry-standard pen test) and “pay for impact” (typical of a bug bounty) testing models are highly complementary.

At Bugcrowd, we think of hackers/pentesters as belonging to one of five distinct roles: Beginners, Recon Hackers, Deep Divers, Generalists, and Specialists. (It’s also important to keep in mind that over time, hackers/pentesters can and will journey from one role to another.) Each type has an important role to play in a given program, and those roles are relevant to how the Bugcrowd Platform’s CrowdMatch^TM technology matches the right crowd to a customer’s needs, at the right time, across 100s of dimensions.

Next, let’s take a look at each type of role in more detail.

The Beginner

Beginners on the Bugcrowd Platform refer to those who are new to the concept of crowdsourced security in general, rather than just being new to the platform specifically. When assessing a hacker’s level of experience on the platform, we may consider factors such as their participation on other platforms or their published research and tools. However, if such information is not available, we may assume that the hacker is a beginner in the ecosystem, at least initially (although this may not always be the case).

It’s important to note that being a Beginner does not necessarily mean that an individual is unskilled, even if they’re only submitting P3/P4 issues. For example, they may be working through a course to broaden their skill set, or they may have limited public presence but already work as a pentester and want to further develop their skills. Typically, this type of hacker covers vulnerability classes that others may not focus on as much, including P4 issues related to authentication and authorization, as well as simpler infrastructure issues (such as DMARC). 

Beginners add value in terms of coverage and consistency. Their participation in a program ensures, for example, vulnerabilities that would typically be found in a penetration test are also identified in a bug bounty program. The last thing we want is for a customer to follow a pentest with an overlapping bug bounty, and only then learn about a bunch of lower-priority items!

The Recon Hacker

Recon Hackers focus on identifying issues across the largest scope possible, so these individuals often discover P2/P3 issues that would not typically be found in a penetration test. 
Over the past few years, Recon Hackers have dominated every provider’s leaderboard due to the proliferation of subdomain takeovers, particularly in ROUTE53 and EC2 takeovers. While these takeovers are now largely patched, the leaderboards are now askew, and thus the highest-rated hackers may not always bring the maximum level of impact.

It’s important to note that many recon-based hackers are highly skilled. However, many of those who take a recon-first approach have found a lucrative niche, and thus tend to focus on refining their toolkit to further exploit only that niche.

The Deep Diver

Deep Divers are the most valuable hackers for Bugcrowd to identify, engage, retain, and uplift. These are hackers who tend to focus on a particular program, learn as much as they can about it, and provide unique and distinct value. A Deep Diver can uncover vulns that nobody else can due to their persistence and long-term knowledge of how a program operates.

Identifying these hackers is best done by analyzing the content of their submissions–rather than just looking at the spread of vulnerabilities on a program–due to the unique nature of these findings. 

The Generalist

Generalists take a multifaceted approach: They have a solid foundation in reconnaissance and utilize it to cover attack surfaces thoroughly, without relying solely on large-scale monitoring and tooling. Generalists also apply a deep-diving approach to evaluating assets, similar to the Deep Divers. While they may not spend as much time on a particular program as deep divers do, they invest considerable amounts of time across a variety of programs. Due to their dual proficiency in recon and deep diving, Generalists gain a reputation on the Bugcrowd Platform quickly and are highly valued. 

The Specialist

Specialists are a rare breed who require specific sourcing for an engagement. They possess unique and rare skill sets, and typically have years of experience in a particular technology (e.g., APIs, AI, IoT, web3) or a specific Bugcrowd VRT category.

As you read in the introduction, one of the Bugcrowd Platform’s greatest strengths is its ability to source and activate specialists to meet a program’s specific skill-set needs. Due to their specialized knowledge, Specialists can uncover issues that other hackers may miss, and they often provide invaluable, unique solutions to a problem. 

An Engineered Approach

To maximize the contributions of each hacker role, Bugcrowd is strategic in its approach to sourcing and engaging with them. For example, adding Beginners to a program that has been running for three months may lead to frustration and a high number of duplicates, while adding Generalists too early dilutes the ability for Beginners to up-level themselves through their findings. Therefore, program maturity is an important input for our platform’s CrowdMatch^TM technology when it sources the appropriate roles.

To summarize, different hacker roles contribute to crowdsourced security programs in different ways, and it’s important to deeply understand the program’s needs to make the most of those contributions. To respect that process, unlike other providers that rely on leaderboards or coarse-grained methods, Bugcrowd’s engineered approach intelligently sources and activates the right role types and skills for your programs, at the right time.

The post How Different Hacker Roles Contribute to Crowdsourced Security appeared first on Bugcrowd.

• Complicated attack surfaces often require skill sets and experience that smaller pentest benches, whether internal or externally sourced, don’t have. When approached in an engineered, fine-grained way, crowdsourcing gives you the ability to curate precisely the right pentest team for your needs.
• Some customers have adopted the practice of rotating pentest providers in order to diversify their view of the attack surface. With authentic support for crowdsourcing, pentesters can be rotated on demand without switching providers.
• Although it’s not required, crowdsourcing unlocks a scaled pay-for-impact incentive model in which 10, 50, or even 100s of testers are inspecting a target simultaneously, with each attempting to maximize their earning potential by finding the most critical issues–a powerful risk reduction strategy with a long track record of success in bug bounty. For some buyers, particularly ones open to continuous testing, that leads to risk reduction that goes far beyond traditional methods. (Furthermore, it creates a very attractive ROI case for the CFO.)

That’s great news! Now, the penetration testing industry is also discovering crowdsourcing–but unlike customers, not always for all the right reasons. 

Enter Crowd Washing

We’ve seen this movie before: In the recent past, legacy IT vendors struggling to win the mindshare battle with cloud-native upstarts adopted the word “cloud” to re-brand their status-quo offerings. That strategy gave rise to the term cloud washing, defined by TechTarget as “the purposeful and sometimes deceptive attempt by a vendor to rebrand an old product or service by associating the buzzword ‘cloud’ with it.” Now, we’re seeing some pen testing vendors adopt that same playbook, using a crowd washing strategy to make their offerings sound more modern and impactful than they really are. 

Here are some crowd washing warning signs to look for:

• When the provider claims a “community” of 100s or 1000s pentesters on their bench. Generally, only a small pool of those testers will be available for any given engagement, so “first tester up” is usually the main driver for assignment–nothing more fine-grained than that. For buyers looking for a specific skill set, that approach won’t deliver what they need.
• Absence of pay-for-impact incentives. There are always good reasons for selecting one incentive model over another. Providers that focus on the fixed-price, pay-for-effort model exclusively, however, are preventing customers from taking full advantage of crowdsourcing scale for maximum risk reduction.
• When dashboards are “platforms.” Some PTaaS providers use the words “platform” and “dashboard” interchangeably. A pen test dashboard gives you access to analytics and results, but it does nothing to help you take advantage of crowdsourcing at scale–that requires an engineered software and services platform that abstracts away all the operational details of crowdsourcing. And, a true platform has to be able to deliver on that for multiple security goals, not just pen testing!
  

Crowdsourced PTaaS Requires a Platform 

Now that you know what to look for, make sure you only buy crowdsourced pentesting from providers with a credible track record!

Bugcrowd invented crowdsourced pen testing when we introduced our original offering, Next Generation Pen Tests, in 2018. Today, our Security Knowledge Platform delivers PTaaS for everything a customer might need for testing web and mobile apps, networks, APIs, cloud infra, IoT devices, and even crypto and web3, whether for a time-boxed duration or continuously. And the proprietary CrowdMatch ML technology in our platform can curate precisely the right trusted pen test team to support those tests on demand, and then buyers can pay them for their time at a fixed rate or based on the number and criticality of the issues they find. 

Platform services like CrowdMatch, best-in-class triage, reporting and analytics rooted in a rich Security Knowledge Graph, and integration with DevSec workflows are what power our crowdsourced PTaaS, managed bug bounties, VDPs, attack surface management, and perhaps most important, our ability to innovate in response to emerging needs. Furthermore, our approach lets researchers align with a platform that offers clear, explicit rewards for solving challenging problems that match their skills and interests–and that leads to long-term success for them, and for customers.

The post Know the Warning Signs of “Crowd Washing” appeared first on Bugcrowd.

The report assesses PTaaS vendors to help security decision-makers select the best fit for their business and use case requirements pertaining to penetration testing. Report author Chris Ray observes that “While pen testing is quite mature, the PTaaS space is young. For this reason, the definition of PTaaS—and PTaaS solutions—will likely evolve over the next few years as the space matures.”

In the assessment, Bugcrowd earned “Exceptional” scores for key criteria such as Automated Workflows and Use of Crowdsourced Pentesters, as well as for Solution Ecosystem, Feature Set, and Speed. Per report author Ray:

• “Bugcrowd, a long-time player in the bug bounty space, has extended successfully into the PTaaS market and brings with it years of engineering experience.”
• “Automation is a central component of a good PTaaS solution, and Bugcrowd has made it a priority to use automation to streamline as much of pen testing as possible.”
• “The Bugcrowd PTaaS solution delivers strong automation capabilities that achieve real-world time savings for clients…Bugcrowd is a feature-rich, broadly applicable PTaaS solution.”

View the full report to learn why GigaOm calls Bugcrowd a Leader in this modern, innovative approach to penetration testing that leaves the limitations of consultative approaches behind.

The post Bugcrowd Named a Leader in GigaOm’s Pen Test as a Service Report appeared first on Bugcrowd.

This platform-powered approach helps security teams overcome significant challenges caused by the fragmented security environments, including:

• Poor visibility into security posture
• Multiple single points of dependency
• Siloed security data and insights
• Overhead in managing multiple providers

These challenges are even more painful, of course, when budgets and resources are constrained. Customers are almost crying out for strategies that will help them maintain or increase their investments in security, without increasing overhead and complexity.

Our customers are also getting bigger and more complex, so we need to support their growing security organizations. We think the best way to do this is to empower them with the flexibility to structure their security solutions on the Bugcrowd Platform to reflect their internal organization or products, and to manage them in an efficient yet fine-grained way–for example, to enable them to standardize scope across a series of different programs (pen tests, bug bounty programs, etc.), or to run reports across them. That would make managing and getting value from multiple Bugcrowd solutions much easier, and empower security leaders to focus more on the big picture.

Introducing multi-tier management

For these reasons, we’re excited to announce the addition of multi-tier program management to the Bugcrowd Platform.

Bringing multi-tier management to the platform gives customers a lot more flexibility for solving multiple security goals across assets in pen tests, bug bounties, VDPs, and even ASM programs, in any combination. In most customer organizations, the asset is king/queen: It defines which employees get access to which resources, and has an associated security strategy attached to it. This change lays the foundation for managing asset security throughout its lifecycle, across all the Bugcrowd products that might be applied to it.

Under this new model, the “program” becomes a container abstraction for multiple engagements that inherit attributes from the program. In other words, a customer can now share submissions, roles, assets, and integrations across pen tests, bug bounty programs, and VDPs inside the same program–as well as get valuable insights about trends and opportunities from data analytics and reports generated across that program. 

Under the multi-tier model, you can also expect a more holistic understanding of all your assets by researchers. You will naturally create a clear comprehension of your needs regarding submissions, roles, assets, and integrations; providing researchers additional critical tools beneficial to your security investment.

In the diagrams below, we can see an organization that has gone from individually managing five programs under the former, “flat” model (Figure 1), to managing only two programs under the new, multi-tier model (Figure 2). For each new engagement created, it inherits the attributes already set at the program level. Researcher submissions will also be shared across the program, significantly reducing the pain of having to move submissions across different engagements to meet certain requirements.

Figure 1. Before: Flat management model

Figure 2: After: Multi-tier management model

By introducing this model, we will significantly reduce the administration overhead in setting up and managing new solutions on the Bugcrowd Platform. We also unlock new reporting and insights across customer solutions, an ability to duplicate an engagement with a single click, and an intuitive, three-tier navigation UI:

Bugcrowd Penetration Testing as a Service is the first solution type to support this new approach to organizing security programs at scale, with Managed Bug Bounty and VDP to follow on the roadmap. Going forward, as one benefit of this new approach, it will be possible to “clone” completed penetration tests across programs (including scope, targets, integrations, etc.), allowing customers to much more easily repeat their pen tests at scale–which we anticipate will be very useful for organizations that, for example, need to do large batches of compliance-driven pen tests across the year.

Investing in the platform 

If multi-tier management sounds like something that is critical for a multi-solution platform, you’re spot on. This is a significant improvement in the way security engagements are managed on the Bugcrowd Platform, one which has been made possible with significant investment from our customers. If you have any thoughts or questions about this platform enhancement, we welcome your feedback!

The post Announcing Multi-tier Program Management on the Bugcrowd Platform appeared first on Bugcrowd.

Despite this risk, many organizations are surprisingly unprepared for social engineering, whether manifested by lack of organizational awareness, outdated or inconsistent identity verification protocols, shallow security practitioner skill sets, or all of the above. 

For that reason, we’re pleased to announce a strategic reseller partnership with SocialProof Security, furthering our mission to keep customers a step ahead of evolving cyber threats. As part of the partnership, Bugcrowd will resell SocialProof Security’s services, including social engineering prevention training, protocol review and practitioner workshops, and specialized penetration testing. 

With new Bugcrowd Social Engineering prevention services powered by SocialProof Security, you can:

• Train all employees to notice and report attacks, and sharpen security practitioner skills
• Strengthen identity verification methods to stop account takeover
• Validate the effectiveness of training and protocol updates with a social engineering pen test

In addition to reselling social engineering training and pen testing, Bugcrowd offers customers the most complete cybersecurity portfolio on the market, including a multi-solution Security Knowledge Platform for pen testing as a service, bug bounty, vulnerability disclosure, and attack surface management. For example, Bugcrowd customers can now buy pen tests from a single provider for every use case – from basic assurance of simple web apps and networks, to continuous testing of cloud services and APIs, to social engineering.

Want to learn more? Save your seat for a Crowd Café AMA with hacker and SocialProof Security Co-founder/CEO Rachel Tobac, and hosted by Bugcrowd Founder and Chairman, Casey Ellis, on July 14, 2022. We look forward to seeing you!

The post ABP (Always Be Prepared) For Social Engineering Threats appeared first on Bugcrowd.

At Bugcrowd, we’ve found that among security teams that have made/are making the reactive/proactive shift, the definition of “pen testing” and what it involves can vary. And when you add bug bounty to the conversation, requirements discovery becomes even more interesting. For some customers, pen testing and bug bounty are even interchangeable terms.  

In this post, we’ll offer our views about how pen testing and bug bounty compare, and why they’re often deeply complementary.

Pen Testing and Its Use Cases

Per NIST, penetration testing is a technique “where testers target individual binary components or the application as a whole to determine whether intra- or inter-component vulnerabilities can be exploited to compromise the application, its data, or its environment resources.” But, even that lengthy definition is vague.

Pen tests have three defining characteristics: they are performed by external testers, are typically time bound, and usually follow a testing methodology. Many customers also expect a final report for demonstration of regulatory compliance to an auditor. 

Although many buyers take a standard approach to pen testing, with few variations across organizations, some have special requirements around pentester skill sets and/or location, pen test targets, duration, and methodology. And of course, there are numerous examples of large organizations that run every kind of pen test under the sun at one time or another. So where does bug bounty fit in this picture?

Bug Bounty and Its Use Cases

Bug bounty was invented in the 1990s to help address the cybersecurity talent gap and to level the playing field between defenders and attackers. The premise was to engage with the global ethical hacker community to help you find vulnerabilities like only hackers can, and at scale. It also overlaid an ingenious “pay for results” economic model that uses gamification to incentivize impactful results: the more critical the vulnerability, the higher the reward. In 2012, Bugcrowd pioneered the idea of an intermediating software platform to that concept, making both bug bounty programs and crowdsourced security accessible to the broader market.

Although some characterize bug bounty as simply an “open-scope vulnerability disclosure program” with cash rewards attached to it, we take a different view with customers. Like pen testing, bug bounty is in fact a focused, strategic approach to discovery and assessment of security risk.

Many customers conflate bug bounty and pen testing because they both rely on attacker tools, techniques, and mindset for vulnerability discovery under a predefined scope, which is certainly accurate. Beyond the tactical execution details (use of a methodology versus no methodology, report versus no report, etc.), you have to squint a bit to see the differences. Ultimately, pen testing and bug bounty have very similar goals but differ with respect to the intensity of the assessment. With this in mind, one can easily envision a layered strategy for both compliance and risk reduction that combines:

1. Ongoing vulnerability discovery and assessment–when exploitability of vulnerabilities is confirmed, this is what some might consider a “basic” pen test
2. Periodic, human-driven pen testing to find common flaws that (1) may have missed (what some might consider a “standard” pen test)
3. A continuous bug bounty running “over the top” to pick up emerging vulnerabilities not yet reflected in the methodologies used in (1) and (2)
   

With this understanding, it’s easy to see that point-in-time pen testing and continuous bug bounty are highly complementary. And that’s where the Bugcrowd Security Knowledge Platform plays a unique role.

Platform-powered PTaaS

Pen testing was invented in the 1970s, and it shows. Many external providers still approach pen testing as a consulting engagement, which leads to delays, noise, added cost, and low-impact results for use cases that go beyond compliance checkboxes. For internal pen testing teams, finding the right talent to achieve even minimal goals can be very difficult. In either case, pen tests have always been done in silos, with findings often disappearing into a black hole.

Penetration Testing as a Service (PTaaS) is an incremental improvement designed to address some of these problems. The benefits of using a SaaS platform for pen testing are pretty clear–faster onboarding, 24/7 reporting, integration with the SDLC, and so on–but there is so much more that can be done. For example, what if you could:

• Meet your precise compliance/risk reduction goals–ranging from basic assurance to maximum, continuous risk reduction? (See our announcement about expanding the Bugcrowd suite of PTaaS offerings to address multiple pen test use cases.)
• Integrate pen testing, bug bounty, vulnerability disclosure, and even attack surface management on a single platform with a unified user experience (not in silos)?
• Share data about vulnerabilities, assets, and environments across all of them via a multi-solution platform that brings contextual, risk reduction intelligence into every workflow?
• Integrate highly curated crowds into pen tests when needed (just like bug bounty), so that the right experts are precisely matched and activated for your needs at the right times, and there are always lots of eyes on your targets (which can be easily rotated as needed)?

With the Bugcrowd approach to PTaaS, you can. Unlike consultancies or purpose-built solutions for PTaaS or bug bounty, Bugcrowd’s multi-solution Security Knowledge Platform allows you to run multiple crowdsourced security solutions in parallel, with everything taking advantage of automated workflows, the ability to bring the right crowd into those use cases at the right times, and a shared knowledge base of vulnerability, asset, environment, and researcher skill set data adding contextual insights and advice to everything that happens in the platform. That’s what “PTaaS done right” means!

To learn more about Bugcrowd’s modern approach to pen testing, download our “See Security Differently: PTaaS Done Right” ebook.

The post Pen Testing and Bug Bounty: Which, When, Why appeared first on Bugcrowd.