Launching a bug bounty program from a CISO’s perspective
How can I measure the security level of our IT systems? Should I change our pentester company every year? Where should I store the results of pentest reports? Are these questions familiar to you? If so, keep reading.
In order to understand how bug bounty can improve security testing, let’s start with security controls, more specifically, how security controls can be implemented. In the last few years, I found too many organizations that think about controls as a checklist. Like it would be a binary: zero or one. But unfortunately, most of the case security controls do not behave like this.
In relevance to today’s topic, if you only want to get a report about your security, you will miss some crucial details. The time is getting close to admit that it’s not that simple. Controls need to be measured continuously, how effective they are, and how they could be improved.
One of the best practices is used to improve security testing to change pentesters regularly. Most of the time, the new pentester will find new vulnerabilities. And if you change it again, probably new vulnerabilities will be discovered. After that happened, we can say “issue has found in a new functionality of the product/service”, and maybe it’s true in some cases, especially if your company follows agile developing principles. But when you see a bigger picture, you will find that the human factor and the tests’ timing are essential.
The knowledge and experience of the ethical hacker matter a lot, as well as how much time it takes from the previous test.
Other vexing aspects of pentest from a CISO’s perspective are storing highly sensitive technical data in pdf documents. A valid business requirement would be to be securely connected to a ticketing system, but unfortunately, pdf is still part of pentest projects.
How can we improve this process? Using the power of crowdsourced security testing (“bug bounty”) is one solution. Of course, there are advantages and disadvantages of launching a bug bounty program, and you may have some concerns about this topic. In this article, I would like to highlight some of these based on my experience.
Launching a bug bounty program is not for everyone. An organization you can learn a lot from it, but you must consider the question carefully “Are we ready to start a bug bounty program?“. It’s a hard question. I would say: without a hardened IT environment and previous security tests, bug bounty can be a tough round for your team. Ideally, the secure software development lifecycle (SSDLC) should also be part of your company’s culture before setting up a bug bounty program.
A lot depends on how you will start. Instead of starting with an open program of the production environment, you need enhancement. I recommend starting with VDP and then adding rewards to critical assets only, then you can launch a full bug bounty program. Furthermore, it’s essential to choose the bug bounty scope carefully (we will deal with scoping in detail soon - stay tuned).
Real-world example: An exciting example of how a company can launch a bug bounty program is Red Bull. They worked with “friendly hackers” before starting a bug bounty program, and they are using their product (energy drink) as a reward instead of a monetary reward.
You may ask, “We have testing tools powered by artificial intelligence, so why should I start a bug bounty program?“. Automatic testing tools are great. They should be used, but they should be used without blind trust of the results. Sometimes they will find almost every issue in the product/service, but it is infrequent. Moreover, there are at least two reasons why they never replace ethical hackers:
The creativity of a human being – AI is excellent. It has an essential part in the future of cybersecurity, but no system has as much creativity as a real hacker.
Never underestimate the perseverance of a hacker – A motivated hacker can figure out those types of payloads you can never imagine, and that’s why they still find new bugs in the products of the biggest tech companies.
Finally, many IT security experts like to use the term “cybersecurity as a market differentiator”. There are situations where this term has valid meaning (and sometimes, it is only marketing stuff to increase the security budget or sell something). I truly believe that launching a bug bounty program may have a valid business value. A company can use a bug bounty program as a tool to build trust with all of your stakeholders. It may have a message to your future employee in the security team, or you can find new customers with it.
If you consider starting a bug bounty program, our team of security experts can help you to integrate bug bounty into your cybersecurity strategy.
(Image by Ferenc Szalkai.)