When to pentest, when to scan and when to put a bounty out
- 30 October, 2015 11:34
Following on from one of my previous posts, the relevance of penetration testing is undergoing alot of scrutiny with the rise of bugbounty programs. I agree with these programs based on a single premise- I have a very specific method or mindset of performing activities and testing, the limitations of which will not meet the needs of larger organisations with very well matured applications or a large attack surface. Using a number of high quality resources will only increase the assurance process. As an occasional participant in bug bounties the learning opportunity is massive; I am exposed to applications and sites that I would otherwise be unable to interact with. Having stated this, bug bounties are not for everyone.
Where theres a high demand for secrecy (as is the case for relatively inaccessible environments), a lower level of security maturity or where a test has not taken place, Bugbounties may not be the answer. Indeed, in the latter two, preparing stakeholders for the exposure to security is a challenge in itself; I encounter organisations that also need to be prepared for the realities of the offensive security environment and, should e-commerce or technology feature heavily in their operations its my responsibility as a penetration tester is to get them to a point where they can be exposed to public scrutiny an. On top of this specific or bespoke types of testing such as physical security, internal penetration testing, social engineering or anywhere that has a significant exposure to your wider organisation needs to be managed in order to not undermine the organisations ability to operate.
By that same token, Both manual processes can be overkill. Sometimes a "lighter" test activity is all thats required. I say this because as a tester myself I have found that my services have been poorly applied. An extended engagement against a static environment that uses known best practice security configurations and is regularly patched does not require an abundance of time and effort out of hours to provide assurance over. Regular vulnerability assessments are all that is required in these instances.
I offer the following guidance regardless of what strategy you take:
- Be open to the reality that people are looking at your applications regardless. Include a vulnerability disclosure policy and prepare the technology and marketing sides of your organisation accordingly.
- Cost effective testing is dependent upon your level of organisational maturity. A bug bounty may prove more expensive than a tester if a bounty hunter knows that all they need to do is continually exploit a similar class of vulnerabilities across a number of environments.
- Certain activities do not demand expertise; just hit these with a Vulnerability Assessment and save your money for more important (and interesting) tasks.
Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.