Pentesting and/or Bug Bounty Program?
Not a day goes by without hearing of a new incident or data breach. Companies know they need to protect themselves, but how? Pentesting and bug bounty programs are often pitted against each other as mutually exclusive solutions. But we believe these two complementary approaches are both needed in the fight against cyber criminality.
Pentesting: an inside-out, white box approach
For many companies, pentesting is an integral part of their security arsenal. They know what it is and how it works. Pentesting is an inside-out, white box approach, which is done at a specific point-in time.
Often, pentesters start by talking to the engineering team and other people involved in the development process to find out about the source code, architecture and development processes. By taking a detailed look at the setup, they are able to see areas that are potentially flawed.
Because the focus is on potential, including theoretical threats, the result of a pentest is often a long list of problems. The findings include items that are currently not problems, but which could become problems in the future. It is extensive, but less easily actionable. It is also a point-in-time check. If a new release goes into production after the pentesters leave, new problems may be introduced that were not covered by past tests.
Bug Bounty program: outside-in and black box
A bug bounty program harnesses the crowd intelligence of ethical hackers to find existing security vulnerabilities in a company’s applications. Reported vulnerabilities are cross-checked and verified. Validated findings are rewarded with a cash payment, or bounty.
Unlike in pentesting, security researchers in a bug bounty program don’t necessarily have access to the source code or to the developers. Without deep knowledge of the systems, they approach the system with curiosity and an experimental mindset.
The result of a bug bounty program is generally a much shorter list, the key difference being that is it a list of actual security vulnerabilities that can be misused right now. Another key difference is that there is continuous checking of applications, so updates and new releases are included in the process. Organisations are sometimes wary of inviting hackers to target their applications, but the reality is that this is happening in an uncontrolled way all the time - so better to get a leg up and discover vulnerabilities before they can be exploited.
Find out more about Pentesting and Bug Bounty programs on October 27 at the Cybero Experts talk in Bern.
Participation is free, but you must register to save your spot for the talk and apéro.
16:30 - 17:30, with Apéro
Die Mobiliar, Bundesgasse 35, 3001 Bern