Crowdsourced security and bug bounty adoption is spreading

There continues to be a fundamental imbalance in cybersecurity. Attackers are finding new ways to penetrate cyber defenses as targets proliferate to the cloud, mobile, and connected devices. Defenders need to take a proactive security approach.

The evolving threat landscape and the ever-widening security skills gap are giving rise to new approaches such as crowdsourced security. Crowdsourcing is fast becoming a foundational element of any organization’s cybersecurity program and security development lifecycle.

Bugcrowd and analyst firm Enterprise Strategy Group conducted a survey of 200 CISOs (Chief information security officer) and cybersecurity decision makers. The report highlights challenges with current application security testing methods, crowdsourced security adoption and benefits, and DevSecOps adoption within the enterprise.

We sat down with David Baker, CSO at Bugcrowd, to learn more about the latest report, in addition to current application security trends and the evolution of crowdsourced security programs.

ADM: What are CISOs top priorities for 2019? Concerns?

Baker: Challenges continue with consistently expanding attack surfaces, budget constraints, and scarce skilled resources. To address this, in 2019, it’ll be about doing more with less - leveraging automation, managed services, and integrated SaaS solutions to force multiple security posture. CISOs must take proactive measures to secure the enterprise despite growing attack surfaces and limited staffing.

ADM: Why is application security so important right now?

Baker: The increasingly mobile workforce, cloud adoption, and the internet of everything are creating more apps with security vulnerabilities. Meanwhile, adversaries are also getting more advanced, leading to a fundamental imbalance in cybersecurity between attackers and defenders.

ADM: The cyber skills gap has been an ongoing issue for the industry - what will it take to help close the gap?

Baker: Research indicates there’ll be 3.5 million unfilled cybersecurity positions by 2021. Organizations can look to embed the security job into all business units. A good example of this is how DevOps teams have adopted DevSecOps personnel that often dotted-line report to security leadership. Education and “Security Champion” initiatives are another way to help tackle this long-standing issue. Organizations can establish internal education programs for their employees or sponsor external programs for the security community at large. For instance, at Bugcrowd, we host Bugcrowd University, offering free, open-source, educational content and training. We also regularly partner with local universities to host meetups and hack sessions.

ADM: We hear the term DevSecOps thrown around a lot - what's in store for its future?

Baker: Containerization and Orchestration are expanding the capabilities of the DevOps teams. Scale, speed, and automation along with managing complex streams of operational telemetry - typically found in a platform like Facebook - are becoming more and more ubiquitous to everyday DevOps teams. These tools are very complex pieces of software, and like all software has bugs and security flaws. The crowd of security researchers is becoming more and more adept in identifying flaws (see recent Kubernetes security flaw). I think the future will see a new breed of researchers that focus on software-defined infrastructure flaws.

ADM: Will applications ever be completely secure?

Baker: As long as humans are developing software, no. The proliferation of IoT is showing that many of the vulnerabilities identified during the advent of web applications are recurring again. It also comes from the pressures of pushing a product out quicker and quicker, leading to more possible errors in code.

ADM: How has crowdsourced security evolved over the years, and what have been some of the key drivers?

Baker: While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few years. The misperception of “hackers” has caused many enterprises to feel crowd fear. That said, we are moving away from that now security has seen wider consumer awareness and understanding, and the term “hackers” has become less obscure. Now, enterprises like Slack are moving to replace their external-commissioned penetration tests with their bug bounty programs.

ADM: Are there particular industries more ahead of the curve when it comes to adoption of crowdsourced security? Tell us about some of your current customers.

Baker: New technology companies are definitely ahead of the curve as they have been adopting crowdsource security for almost a decade now. Some are leveraging the crowd to scale their small-startup-esque security teams while some are leveraging the crowd to multiply their already large security teams. That said, crowdsourced cybersecurity is certainly not exclusive to technology companies. According to our survey, nearly half (42 percent) of respondents from industry verticals other than technology currently running a crowdsourced cybersecurity program and another 24 percent are expecting to run one within the next year.

Bugcrowd currently works with customers in more than 50 industry sectors in over 30 countries including Fiat Chrysler Automobiles, Fitbit, Atlassian, Etsy, Netflix, Tesla, and more.

ADM: What motivates CISOs to adopt bug bounty programs?

Baker: The ability to do more with less. Bug bounty programs allow CISOs to incorporate penetration testing 24x7x365 to their in-scope attack surface, on top of point-in-time tests. With the help of the Crowd, CISOs pay for results rather than for consulting hours. Nearly half of survey respondents cite paying for valid results rather than effort or time as the top value of the crowdsourced model. While collaborative, it’s also competitive between whitehat hackers - the first to find vulnerability is the first to get paid. This ensures more vulnerabilities of higher criticality are identified faster for organizations deploying bug bounty programs.

David Baker brings over 20 years of experience in enterprise data security, information technology, and government computer research to his role as Bugcrowd CSO. Prior to Bugcrowd, David served as the CSO at Okta. He was responsible for the security of Okta’s service, helping the company ensure customer success and solving the security challenges enterprises face as they evolve operations into the cloud. Prior to Okta, David served as the Vice President of Services at IOActive and Security Architect at Webex Communications. David started his professional career as a research scientist in Computational Fluid Dynamics at NASA Ames Research Center.