How to Build a Hacker-powered Crowdsourced Security Program

How to leverage ethical hackers at scale to deliver better security and vulnerability management.

May 17, 2023

Crowdsourcing Security

Tech titans such as Google, Facebook and Microsoft have long embraced bug bounty programs and have paid millions of dollars for ethical hackers to find previously unknown vulnerabilities in their systems. However, few companies have the security budgets or teams to run such impactful programs. Johanna Ydergård, VP of product at Detectify, sheds light on a new approach: leveraging and scaling ethical hackers’ knowledge to power fully automated external attack surface management (EASM) solutions. 

As tech solutions become smarter and increasingly pervasive, they have become integral elements of operations. At the same time, to keep up with these fast-paced developments, the need for data security and privacy has increased.

Anyone who has worked as part of a medium or large organization’s security team knows first-hand how difficult it is to keep tabs on an ever-changing and growing attack surface, let alone keep those assets secure. Hackers have long been monitoring the web to find vulnerabilities in places companies aren’t looking at or even know to exist. They have eyes and ears where companies don’t, as they increasingly leverage automation to improve their tooling and reconnaissance methods, enabling them to monitor organizations’ attack surfaces with greater precision than ever before. Over the past year, there have been some devastating breaches, including Twitter, Uber and AT&T. We all know that it is no longer a matter of if you get hacked, but rather when.

Furthermore, tech stacks are getting more complex, and companies today are functioning with an increasing number of third-party solutions that teams use to solve increasingly complex tasks. As CISOs are painfully aware, every application or software they use may be prone to various vulnerabilities that they do not have direct control over. And with this, a question arises: What approach can security teams take to address this changing environment?

By offering a comprehensive view of an organization’s attack surface and potential vulnerabilities, solutions like EASM empower CISOs with mechanisms to understand their internet footprint and exposure and identify, assess and prioritize risks – including both exposure and vulnerabilities. This enables CISOs to take ownership of the organization’s overall security posture properly and enables them to understand and decide where to safeguard against risks across the attack surface.

See More: Reimagining the Future of Software Security with Intelligence Sharing

Why Pentesting Sometimes Doesn’t Fit the Bill

Penetration testing is a manually driven vulnerability detection method that uses multistep and multivector attack scenarios to find vulnerabilities and attempts to exploit them. While some companies might be continuously pentesting, others don’t, often due to lacking security culture, budget limitations, or both.

Even though pentesting is a critical tool within a lot of enterprises’ security toolkits, one of the major downsides is that it fails to keep up with the development speed of modern applications. While most companies that pentest do it annually, in today’s environment, applications are updated far more often, sometimes as often as several times per day. This results in reports that quickly become outdated and, at best, reflect your security posture at a particular point in time. Even though pentesters also use automation in their toolkit today, the quality of pentests vary and should be considered one puzzle piece in a security program, but never the full solution.

One thing is clear – the more eyeballs you throw at an application, the more you’ll discover. Many of the traditional approaches build on the assumption that the company is already aware of its internet footprint and defines a scope for the tests from the beginning. Hence, it’s easy to see how traditional approaches like a combination of pentesting and static and/or dynamic code scanning only give a partial view of risk and exposure in an organization and will be insufficient to understand and manage the full attack surface.

The Power of the Crowd

Something in the security toolbox has been missing, and this is where crowdsourced security comes into play. Security professionals have commonly heard about bug bounty platforms such as HackerOne, BugCrowd and Intigriti, among others. Crowdsourcing platforms use a large group of ethical hackers to continuously reveal a bigger number of vulnerabilities than what regular penetration testing can convey. Ethical hackers use the same methods as cyber criminals but use their knowledge to help companies build safer products and earn money.

The numbers don’t lie. The bug bounty market was valued at $90 million in 2019 and is anticipated to grow to $206.5 million in 2030Opens a new window , with a CAGR of 9% between 2022 and 2030. However, deploying a bug bounty program is not a silver bullet in security as it only benefits one company at a time and can be massively expensive for most of them, as they often end up paying lofty bug bounties to hackers when they could have found the same vulnerabilities through automation. Hackers make an individual report for every vulnerable instance and submit it separately. This part can be extremely time-consuming and isn’t scalable.

It’s the combination of automation and crowdsourced security that will make the Internet safer. By using a bug bounty model and combining it with automation, platforms can better cover all conceivable attack situations and scan all potential risks through software-led security testing.

See More: The Perfect Pair: Testing and Security

Making the Internet Safer With Automation

Automated, crowdsourced ethical hacking platforms are far more than your regular bug bounty platform. They have access to vulnerability information from a broad number of hackers worldwide, which an individual pentester usually doesn’t have access to. These platforms build automated tests from the crowdsourced vulnerability information and continuously run those against the customers’ assets, providing constant vulnerability monitoring on the attack surface instead of one-off pentests or relying on frequent high activity and manual triage in a bug bounty program.

To guide the ethical hackers on what vulnerability information will have the most impact, they are shown an aggregated view of what technologies customers are running, such as their CMS system, and which version is the most common. They then discover and submit vulnerabilities and are paid each time their submitted vulnerability test recognizes a vulnerability on a client’s asset, which allows for the gamification of the platforms.

These platforms also make the job of ethical hackers as simple as possible by automating their reporting. If a hacker finds a vulnerability in a commonly used system, they do not have to report it everywhere but rather in one place and scale their impact.

In conclusion, even though no tool is perfect and will eliminate all security risks, it is crucial to have ethical hackers working in conjunction with them. Indeed, it takes a crowd to secure your growing attack surface. Looking ahead, automated crowdsourced testing will significantly reduce the risk and costs of other complementing approaches like bug bounty programs.

What do you think are the most common challenges in developing a crowdsourced security program? Is it worth the risk? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON CROWDSOURCING

Johanna Ydergård
Coming from a mixed business and engineering background, VP of Product Johanna Ydergård is responsible for product management, strategy, and design at Detectify. She works in tight collaboration with Engineering to build and enable the product, design & engineering organization. Prior to becoming VP of Product, when Johanna joined Detectify, she led the creation of the ethical hacker community Detectify Crowdsource that fuels the company’s attack surface management product.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.