A crucial part of securing IT infrastructure, applications and services is asking independent white hat hackers to hack it. Hackers will try to break in regardless, so you might as well be part of the process to maximize the benefits. Unfortunately, not every company has the resources to hire a penetration testing team.
Crowdsourcing can help your company get immediate help when you need it at a price you can afford. Crowdsourcing can be likened to an “e-Bay” auction for talent. You can get the right talent at the right price at the right time.
Crowdsourcing hackers through an intermediary
There are obvious trade-offs with crowdsourcing IT security talent, such has how to vet the people who will hack your environment; determine a fair price and scope; and initiate, track and control the process. If you don’t have an established program, what you save in direct monies could be easily offset by your time, involvement and risk. When you don’t know the players involved, there is always a risk that they don’t have the experience they claim they do, or worse, don’t do what you’ve hired them to do. The biggest fear with outsourcing hackers is that they keep and use what they learned on the job later. After all, they are hackers. Right?
Luckily, many firms act as a trusted intermediary and use their established processes to hook up independent, vetted hackers with your needs. In exchange for payment, they will vet the hackers, make sure they are trustworthy and skilled, provide the overall program and framework, and do all the hard work that you don’t have the time for.
I love both the crowdsourcing idea and the companies that are doing it. Three of the biggest and best-known are Synack, Bugcrowd and HackerOne. Each, in different ways, brings hackers and their services together in a relatively open marketplace with companies looking for white hat hacking services. Most of the crowdsourcing security companies offer at least three main services:
- Vulnerability disclosure
- Penetration testing
- Bug bounty programs
Vulnerability disclosure involves helping the customer develop and publish a responsible vulnerability disclosure program that define where and how third parties (hackers) can contact the customer or intermediary (the crowdsource vendor) with newly found bugs. It includes responsibilities and expectations for both the customer, the intermediary and the hacker. Many hackers who have performed “irresponsible” disclosure to the public without giving the vendor a chance to rectify the found bug first did so only because of their frustration from the lack of reasonable response from the company they were trying to report the bug to.
Penetration testing is often the key money-generating service for crowdsourcing firms. They bring together a skilled set of experienced hackers with the customer at an agreed-upon price for an agreed-upon scope of work.
The vast majority of hackers involved in these firms are doing crowd-sourced pentesting part-time. A minority do it full-time, and some make a decent living doing so. How much a crowd-sourced hacker can earn on each job depends on the types of skills they have, experience, and types of jobs they get selected to be on. Bugcrowd told me it has hackers who donate their time for particular causes (such as securing their country’s government resources) or give the money they receive to charities.
Getting a bug bounty firm involved can save you tons of time and money. Many times, a hacker-reported bug really isn’t a bug at all, isn’t a bug impacting security, or isn’t easily reproducible. Most bug bounty program vendors will tell you that you need to fix only a minority of the reported bugs, and that they spend most of their time figuring out the real bugs from all the reported issues.
A bug bounty vendor will do the time-consuming up-front work, taking the reports from hackers, verifying real security bugs, triaging to determine criticality, making sure they are readily reproducible, and then creating detailed documentation of the working exploit. Any bug fixer would kill for this part of the process to be done.
No matter how good your internal IT security team is, no matter whether you have an internal or external pentesting team, you need a bug bounty program and responsible vulnerability disclosure program as a key part of your IT security. I’ve been with firms that decided, wrongly, they didn’t need a bug bounty program. Each, after years of negative lessons learned, started a bug bounty program. They could have saved themselves some pain by starting one earlier.
Every company should consider and deploy all three of these types of programs. I’ve known many otherwise good-hearted hackers who grew frustrated, and even resentful, because a company didn’t have an easy way to report a bug they found, didn’t effectively respond to the outreach, or incorrectly told the hacker that their big find wasn’t a big deal. If you make it hard for good people to report serious things, you’re just asking for trouble.
If you don’t already have these functions as a mature part of your organization, you can only benefit by getting involved with a company, crowdsourcing or not, that can help you to set them up. Most of the companies offer these services as one-time or ad-hoc projects. Some companies offer additional related services such as code review, remediation and staff augmentation. They differentiate themselves with their platform around the hackers and services, pricing models, and how well they can vet the experience, skills, and placement of the involved hackers.
What does crowd-sourced hacking cost?
None of the firms I interviewed wanted to give me hard numbers for a hypothetical scenario, but agreed that crowdsourcing a hacker red team for a few weeks of work might cost in the low thousands to the low tens of thousands of dollars for a relatively small limited engagement. Larger engagements with more people with specialized skills lasting many weeks to a few months could easily cost tens of thousands of dollars. No matter what you might end up paying, it’s far cheaper than having your own internal team and often cheaper than working with an established firm that does not use crowdsourcing.
At the most recent Black Hat USA 2018 in Las Vegas last week, I interviewed executives at Synack and Bugcrowd.
Synack has the reputation of being a top-tier outsourcing vendor with a focus on larger enterprises. They have a who’s who list of top companies and entities as clients and like to focus on the success and quality of their vetting process and programs, as well as a broad range of services. I spoke with Aisling MacRunnels, Synack’s chief marketing officer.
When asked if artificial intelligence (AI) would ever replace human hackers in the process of evaluating a company’s security, MacRunnels says, “No. I think you’ll see driverless cars long before you’ll see driverless security. You can’t build technology that outwits the human mind. You just can’t. A human can see things contextually that you can’t easily build into an automated program. We start with a vulnerability assessment scan to find the low hanging fruit and then feed all that it learned to our hackers. The hackers find far more than what the scan alone finds. The scan is a starting point, not an end.”
MacRunnels is proud of Synack’s hacker vetting program. “We have over 1,000 hackers vetted in over 55 countries, but it takes months to become a vetted hacker on our platform. We don’t have any ‘average’ hackers.”
On the process side, Synack has a customer portal where they can monitor each step and see every found vulnerability. ”A customer can skip particular issues that they already know about or even immediately stop a project,” MacRunnels says. “We send details and screenshots. Customers can directly access the researcher to get their questions answered. Customers who were initially a bit skeptical of the process end up trusting it more and more, trusting our researchers to go farther and do more, as they learn they can trust us, our researchers, and our platform.”
MacRunnels believes Synack’s pricing model—fixed cost rather than per bug—is a differentiator.”You know what you are paying for and what you are going to get,” she says.
Synack takes care of its vetted researchers, too, according to MacRunnels. “We pay them within 24 hours of their finding. We want them to trust us and to know that they are appreciated for what they do.” Payment within 24 hours is a rarity in the independent pen testing world. It is huge motivator. Usually it would take a month or longer for me to get paid.
Bugcrowd is another top-tier IT security crowdsourcing company, focusing on companies of all sizes in more than 50 vertical markets. I spoke with several Bugcrowd employees, including Ashish Gupta, CEO; Justin Beachler, trust and security engineer; and Michelle Dailey, senior director of marketing.
Gupta agreed with the notion that AI wasn’t going to take over human hackers anytime soon. “You still have a big need for human creativity to not only find issues, but understand the security risk,” he says. “
When a hacker finds a bug using Bugcrowd’s platform, Bugcrowd doesn’t take any of the money that the customer pays the researcher. Gupta says, “We don’t take a bit of the money out of the bug bounty. We make our money for the benefits of the platform.”
Beachler adds, “You need different types of hackers with different ‘eyes’ looking for bugs. Many companies have a policy where they must change up their external pentesting teams every few years for just that reason. Crowdsourcing and Bugcrowd makes that really easy to do.”
“Every one of our programs has professional management built into it,” says Dailey. “For example, we try to respond to every reported vulnerability within 24 hours. Actually, it’s around 12 hours or less right now. We do all the work around verifying that the reported vulnerability is really a vulnerability and determining what vulnerability taxonomy rating it should have.”
A key part of Bugcrowd’s process is the open source Vulnerability Taxonomy Rating program, a framework they helped develop of how to rate and classify different types of bugs. The most critical bugs are called “P1s”, while less severe bugs are classified as P2 to P5. Every bug finding program has criticality ratings, but Bugcrowd’s open-source framework was developed with input from many customers and researchers to help standardize the ratings. Without an objective standardized framework, a researcher might have greater incentive to report findings as the highest criticality, higher paying P1 bug.
Bugcrowd has established the open-source Bugcrowd University, where penetration testers of all levels of experience can learn more about professional security testing. Bugcrowd also spoke of helping its customers use secure development lifecycle (SDL) training and practices to reduce the number of vulnerabilities to start with. SDL training is badly needed because most universities don’t include much, or any, security awareness training, in their developer programs. It’s a huge missing gap that Bugcrowd is trying to fill.
Choosing a crowd-sourced penetration testing partner
First, decide on what type of services you need, how often you need them, and how much you have to spend. Decide if crowdsourcing fits within your risk model. If it does, consider a crowdsourcing firm that can manage the process and eliminate much of the risk. Then reach out to one or more of these companies to get more details about each of their offerings, their platforms, fees, and professional management process. Much of the value of each of the organization is in their platforms, processes, and the way they vet and place the hackers that will be performing the services.
You want to be able to trust that you’ve got professionals doing the job with the upmost professionalism and confidentiality. I think any of the top crowdsourcing companies will give you that above and beyond what you could get by trying to contact some hacker or group of hackers independently.