The search for security vulnerabilities is an essential requirement of any cybersecurity policy. But it is far from being the only requirement: you also need to be able to test the systems and apps, regularly and thoroughly, in order to ensure that malicious third parties cannot penetrate them to their own advantage.
These principles, applicable since IT has existed, are more relevant now than ever due to the strong trends that we can observe in terms of usage: the cloud, mobility, working from home, e-commerce, the complexity of IT systems, the diversification of computer terminals to access apps or data, the shortage of skills in cybersecurity or even the demands of “time to market” that leads to the neglect of “Security by Design” - All this while remembering the geopolitical tensions that favour system penetration attempts. Gartner analysts qualified these trends as “out of control for organisations”, during their November 2020 Symposium (1).
Admittedly companies are increasingly aware of the risks, on average devoting 6% of their IT budget to cybersecurity (2). On average, they use 47 different cybersecurity solutions and one company out of ten manages over one hundred (3). Despite these investment efforts, there remains a large margin for improvement in order to really secure the systems and the apps: according to a study from Wavestone, the average time between an intrusion and its detection remains 94 days (compared to 167 days in 2019) and only 24% of security incidents are identified by companies’ internal teams. According to AttackIQ, half of the CISOs admit that they are unsure of the efficiency of their cybersecurity tools! (3).
The continued growth of cybersecurity investments, and the persistance of vulnerabilities create a paradox: it is not because a company invests heavily that their cybersecurity will improve by the same margins. In fact, the approach needs to change. The growth of Bug Bounty operations constitutes one of its improvements, whose DNA relies on collaboration to identify security flaws, thanks to a community of hackers, best placed to identify these flaws. The efficiency and profitability of a Bug Bounty no longer need to be proved.
This collaborative approach is now starting to be applied to Pentests, the cybersecurity technique most used by companies : it involves calling upon specialised companies to carry out an audit, with standardised methodologies and produce a report analysing the tested strategies and possible vulnerabilities discovered.
For MarketandMarkets Research (4), this global Pentesting market represents 1.7 billion dollars in 2020. It should reach the 4.5 billion mark by 2025, an average annual progression of 21.8%, and close to 6 billion dollars in 2027, according to the analysts of Verified Market Research (5).
In this market, we can see an increase in Crowdsourced Pentesting, that calls upon a community of elite hackers, carefully selected through a collaborative platform. The objective is to digitalise part of the Pentests to make them more responsive, simpler and more efficient. We are already witnessing a transformation in the market, with an increase in the importance of crowdsourced Pentesting on all projects of weak or medium complexity. We can already see this in the United States (6), where they now represent a quarter of the market, compared to 39% for the traditional penetration tests, the rest being undertaken by internal teams or a mixture of the two.
Conducting Pentests in an agile manner, by leaning on a community of hackers, is moving with the times, in a context where speed of action and agility are crucial to limiting the risks. This is logical in that, compared with the traditional approach, Crowdsourced Pentests present five advantages:
- Agility and simplicity: Implementing a traditional Pentest requires around three weeks, because it requires coordinating different internal resources with the provider. A Crowdsourced Pentest, that responds to more occasional security requirements, can be operational in one or two days. This agility is reinforced by the fact that during a Crowdsourced Pentest, the vulnerabilities are reported progressively on the collaborative platform as they are discovered, unlike a classic Pentest where the company discovers the results on receipt of the consultants’ report. Agility is synonymous with simplicity: Once the duration, budget and perimeter of the Pentest are determined, the selected hacker can get to work!
- Expertise: What could be better than calling upon a community of hackers to carry out Pentests? Indeed, they are the most likely to know where to look and how to penetrate a system or an app. This is because the community will always be more creative and diverse in its abilities than a classic Pentest. In a collaborative Pentest, it is the hacker with the most appropriate skillset required to solve the problem who is selected. Furthermore, in the context of the increase in app development practices using agile methodology, the problem of updated expertise emerges: the hackers are always one step ahead. Moreover, on an equal budget, the number of important or critical vulnerabilities discovered is three times higher with the Crowdsourced Pentest approach than a classic approach.
- Availability and adaptation of resources: The resources proposed by a specialised provider of traditional Pentests are not expandable: this can cause an expertise deficit or availability problems at the required moment for the Pentest. While the demand for Pentests increases, it is not always possible to wait several weeks in the hope of having the correct resource.
- Interactivity: With Crowdsourced Pentests, the internal teams of the company can permanently interact with the hackers in charge of the tests, in a transparent and documented manner.
- Centralisation of knowledge: the returns derived from the community of hackers are stocked and centralised on a platform (for example Yogosha’s), so that they are permanently accessible as required, notably for example, where new Pentests are necessary and when it is important to make use of the records of previous Bug Bounty operations or to optimise the transfer of abilities.
- Integration of DevSecOps: By going through a collaborative platform such as Yogosha, you benefit from native integration, with development management tools such as Jira or Gitlab. The vulnerability reports are directly accessible for more agility and the integration of security on your developments.
The objective of a Crowdsourced Pentest can be summarized as winning the race against the detection/reaction time. The University of Maryland teams (7) calculated the average time before a new attack occurs... it is just 39 seconds!
If you wish to know more about Crowsourced Pentests and what Yogosha can offer you, contact our experts.
Find all the news and cybersecurity trends directly in your mailbox.