Penetration Testing & Bug Bounty: Key components of your cyber security toolbox

Every day, new cases of data leaks and security vulnerabilities are reported. It is not a question of whether, but when a company will be attacked by cybercriminals. Everyone has critical vulnerabilities. Cyber security is about being aware of them and minimizing the risks that are most important to your business. During the Cyber Expert panel discussion on October 27, 2022, security experts Sophus Siegenthaler, Managing Partner and IT Security Engineer at cyllective; Michael Schläpfer, Security Expert and Chief Hacking Officer at bug bounty provider GObugfree; and Antoine Neuenschwander, Head of Bug Bounty at Swisscom discussed two tools that lead to increased cyber resilience: Pentesting and Bug Bounty.

Cyber security demystified

The event was organized by cybero, an initiative of Mobiliar. Cybero aims to provide cyber security support to small businesses, which are increasingly being targeted by hackers. Nicolas Germiquet, Initiative Leader at cybero says, "The topic of cyber security is complex. We aim to simplify and democratize the topic so it's accessible to all." Through easy-to-understand analysis tools such as the cybero Check and cybero Score, SMEs can conduct a situation analysis and determine their risk profile. Afterwards, initial measures are proposed and service packages are offered that are tailored to needs and cost-effective.

In line with its goal to demystify cyber security, cybero supports knowledge sharing through events such as the Cybero Experts Series. On October 27, the focus was on pentesting and bug bounty.

Pentesting: a deep and profound investigation

A penetration test (also called a pentest) is an active test of security. With this testing method. testers target individual components or the application as a whole to determine whether vulnerabilities within or between components can be exploited to compromise the application, its data, or its environmental resources.

Sophus Siegenthaler, Managing Partner and IT Security Engineer at the company cyllective explained the different forms of pentests and how they are applied. In a white-box approach, experts have a lot of information (such as configurations, source code and diagrams) about the target system, whereas in a black-box approach they have no information at all. The white-box approach is ideal for initial testing. It allows the pentester to get a holistic overview much more efficiently, resulting in a better cost-benefit ratio. A grey-box test (with some information about the system) is excellent for selective testing of individual aspects. A black-box approach is very close to reality, as the pentester encounters the same scenario as a real attacker.

The advantages of pentesting are customer proximity and a wide range of applications. Through extensive discussions with the customer, one gets to know their exact needs and can test effectively and in a structured manner. Siegenthaler comments, "We work closely with customers to create a common understanding of the risks." This type of testing is universally applicable; it can be used to test any scenario, whether it is internal to the company, or involving the company with all its surrounding systems and external partners.

Bug Bounty: proven effective

In security testing, there are some instances where traditional approaches come up against their limits. In such cases, a bug bounty program can help. Already 20 years ago Netscape (then known for their web browser Navigator) launched an internal bug bounty program. They invited their employees to take a closer look at the system, report bugs, and receive a reward for doing so. It was an interesting and effective approach that only years later gained momentum.

Today, many companies consider bug bounty programs to be an effective addition to their existing security approaches. Friendly hackers test a defined scope using predefined rules of the game, and their confirmed finds are rewarded with a monetary payment, a bounty.

Michael Schläpfer, Chief Hacking Officer of GObugfree describes two major advantages of bug bounty programs. On the one hand, the tests take place on an ongoing basis. Instead of a one-time snapshot, this method provides a continuous overview of the system and current threats. In this way, companies gain uninterrupted insight into any vulnerabilities in their systems and can derive the right measures accordingly.

The second aspect is collective intelligence. Hundreds of specialists, each with special tooling sets probe deeply into problems. In itself, it's not a holistic approach; the holistic aspect comes from the entire community. The more angles, the more chances to find potential weaknesses. And, not to be forgotten, Michael adds, "A bug bounty program increases internal awareness of cyber security. Both among developers and vendors."

A hacker's perspective

Antoine Neuenschwander is a Friendly Hacker himself, as well as being Tech Lead Bug Bounty and Security Incident Responder at Swisscom. Swisscom has the oldest and largest bug bounty program in Switzerland, as well as pentesters. For Antoine, IT security is a bit like magic. Inspired by James Bach's description of testers, Antoine says, "Hackers don't break the code, they break your illusions about the code." Thus, developers and friendly hackers hold opposing views: Development is all about building; the Friendly Hacker, on the other hand, wants to take everything apart.

Antoine is quick to dismiss the image of the hacker as a criminal figure in a hoodie. The family man and avid Friendly Hacker asserts, "There are plenty of people with the skills to break into systems without becoming criminals." The bad kind of hacking is organized crime. On the black market, you would receive about 10 times as much as when reporting a vulnerability through a bug bounty program. Still, hackers should be ethical. "We shouldn't have to talk about ethical hackers. Non-ethical hackers are criminals," he says.

When Pentesting, when Bug Bounty?

In short, maturity is critical. If there is no security testing in place and processes in place, the first step would not be to introduce a bug bounty program. There are better tools for at this stage, such as a situation analysis. Once processes are in place and the first findings from a vulnerability scan or pentest have been handled, a bug bounty program can be used as an additional security measure.

Whereas pentesting can also be used for internal company applications, bug bounty programs are usually used only for testing publicly available systems. Caution is advised when testing internal systems.

Bug bounty programs and pentesting are not "stand-alone" solutions, but rather complement a robust security environment. According to Michael Schläpfer, "A bug bounty program is complementary; you use it to find vulnerabilities that you haven't found yet."

What’s next?

As mentioned at the beginning: everyone has critical vulnerabilities. As a company, the question to ask is not "How important am I to hackers?" but "How important is the data to my organization?" and "How prepared am I if an attack occurs?"

Bug Bounty and pentests are two tools that help provide clarity about your risk situation. But that doesn't necessarily mean eliminating all risk. Rather, it is a matter of consciously dealing with these risks and making clear risk management decisions.

In times of continuous deployment and given the pressure to constantly release new features, it makes sense to conduct regular pentests and, in parallel, to run a bug bounty program.