It takes a crowd to secure the attack surface. Detectify collaborates with the Crowdsource ethical hacker community to power a fully automated external attack surface management solution. This is a guest blog post from Crowdsource hacker Luke “hakluke” Stephens on why he believes crowdsourced security is now a necessity.
Cybersecurity is a weird industry. The ultimate goal of the industry should be to eradicate itself, yet somehow we’re half a century deep and things aren’t showing any signs of slowing down. Quite the opposite! Today the cybersecurity market size is around $220 billion USD, and is forecasted to grow to $345 billion USD over the next 5 years.
One of the fastest growing trends within the cybersecurity industry is the adoption of crowdsourced security as a means of bolstering existing security programs. This market alone was valued at USD 90 million in 2019 and anticipated to grow to USD 135 million by 2024.
Crowdsourced security talent actually has many facets including:
- Bug Bounty Programs (BBPs)
- Responsible/Vulnerability Disclosure Programs (RDP/VDPs)
- Crowdsourcing 0days (0-day brokers)
- Crowdsourcing payloads for automated scanners (Detectify)
- Crowdsourcing malware (VirusTotal)
And the big one:
Yep! When you think about it, cybercrime is just crowdsourced security but without any of the ethical elements – and that is exactly why crowdsourced security is so successful. The reward structure mimics the way that cyber crime operates more closely than traditional security testing methods. Both bug bounty hunters and cyber criminals are motivated to successfully exploit impactful vulnerabilities in an organization because that is the only way that they get paid.
The remainder of this article will be a list of reasons why crowdsourced security is such an important facet of a healthy security program in 2021.
If you’ve worked on the security team of a large organization with a huge attack surface, you know first-hand how difficult it is to keep tabs on an ever-changing attack surface, let alone keep those assets secure. Crowdsourced security is the ultimate solution to this problem. It is your way of employing an army of humans to help you in the pursuit of defending your kingdom.
Another reason that crowdsourcing in cybersecurity is becoming more necessary is the diverse range of expertise that it brings to a security program. Technology stacks are getting more complex as time goes on, and we live in an age where there is virtually infinite technology that we can utilise to achieve a simple task.
A basic, typical web application today might utilise:
- A frontend JS framework
- An application server
- A backend framework
- A backend server
- A database server
Every technology in this stack may be prone to various vulnerabilities that are custom to that specific technology, so it makes sense that someone who specializes in each technology might find more vulnerabilities in your implementation than someone who does not. If you order a penetration test on an application using this stack, there is very little chance that the penetration tester will be an expert in all of the technologies being used.
On the other hand, if you offer a bug bounty or monetary rewards to anyone who finds a vulnerability in your application, it is likely that out of the crowd of people who test the application, there will be at least one expert in each technology that you utilize. This type of testing is not only preferable, it is absolutely paramount to the security of the application.
Penetration tests are usually timeboxed, i.e. a set amount of time is designated to a specific scope. A fairly average engagement for a web application would run for five days. In that time, the penetration tester will aim to get as much coverage on a web application as possible. Unfortunately, this is not really enough time to go into extreme depth, which often results in some attack vectors not being fully explored, simply because the vectors are too complex or time consuming.
Bug bounty programs usually do not have the same time constraints because they are typically ongoing. This mimics the capability of a motivated attacker more closely. The lack of time constraint combined with the motivation to uncover highly-paid vulnerabilities creates a perfect breeding ground for complex, critical bugs to be uncovered.
Continuous monitoring is another essential component of a good security program. There are really only two economically viable ways of achieving this:
- Utilizing automated discovery and scanning
- Crowdsourcing security testing
Ideally, both would be utilized. As it turns out, Detectify is an automated security scanner that utilizes crowdsourcing for payloads, so by utilizing Detectify you are reaping many benefits from both sides!
Most of the top bug bounty hunters will tell you that many of their best bugs were discovered through collaborations. Perhaps one of the most underrated features of bug bounty programs is that they allow (and encourage) hackers to collaborate. The lack of time constraints, competitive environment and motivation to find impactful bugs fosters an environment where it literally pays to form tight-knit hacking groups.
Each team member will have different experience, knowledge, and workflows that often complement one another in the pursuit of uncovering vulnerabilities. This is essential to the success of crowdsourcing cybersecurity. As the old saying goes, “two heads are better than one”.
If you want to witness the power of crowdsourcing, there is a publicly available track record of smashing success. Disclosed vulnerabilities on major bug bounty platforms are a hotbed of critical vulnerabilities in some of the world’s largest organizations, and despite the excellent security of Apple’s iOS, 0-day brokers are not having any trouble sourcing full-chain exploits because they are offering $2,000,000 for them.
Detectify is the best of both worlds. Detectify maintains a global network of ethical hackers who generate payloads for their automated scanning solution, and then they make that solution available to you. Using Detectify puts the power of an army of ethical hackers right into the hands of your engineers, 24/7.
My name is Luke Stephens but most know me as hakluke. I am currently living on the Sunshine Coast, in Australia. I recently resigned from my role as the Manager of Training and Quality Assurance for Bugcrowd to start my own consultancy, Haksec. I do a lot of penetration testing and bug bounties and create content for hackers. Check out my Youtube channel.
There is no silver-bullet when it comes to protecting the external attack surface or your web applications. You need a modern security toolbox leverages crowdsourced security to help you continuously monitor and scan your assets for anomalies. Automated vulnerability security tools like Detectify go well with bug bounty programs and manual pentesting by maintaining a constant level of automated security testing. See what Detectify will find in your attack surface with a free 2-week trial. Go hack yourself!