TRENDING:

Governance & Risk Management , IT Risk Management , Next-Generation Technologies & Secure Development

Beyond Bug Bounties: Crowdsourced Security Testing Evolves

Bugcrowd's David Baker on Targeted 'Researcher Grants,' Waning 'Crowd Fear' Mathew J. Schwartz (euroinfosec) • June 13, 2019    
David Baker, CSO, Bugcrowd

Crowdsourced bug bounty programs help organizations identify severe flaws in their IT infrastructure, apps or other code. Now, that model is being used to help organizations perform more widespread security testing, including penetration testing as well as deep dives by single researchers, says Bugcrowd CSO David Baker.

See Also: JavaScript and Blockchain: Technologies You Can't Ignore

"Traditionally ... you've had a large group of people sort of gamified - the first one to find a bug gets paid, and so that tends to work very well," Baker says.

But as technology evolves and more web and mobile applications rely on APIs, more specialized types of technology review and testing need to be brought to bear, he says. That's given rise to Bugcrowd's more "gig economy" approach, called researcher grants. "We will give a certain researcher a certain aspect of that technology to look at and research," Baker says, and then that researcher will produce a report with detailed findings that can also be used to also satisfy audit requirements.

In a video interview at the recent Infosecurity Europe conference, Baker discusses:

  • The state of the crowdsourced security testing market;
  • The evolution in trust as well as reward mechanisms;
  • The role of penetration testing.

Baker is CSO of Bugcrowd. He has more than 20 years of experience in enterprise data security, IT and government computer research.

Previous
Top Drivers for Privileged Account Management
Next
Proactive Mitigation: A Cybersecurity Imperative

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.



Around the Network

Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs
Securing the SaaS Layer
Securing the SaaS Layer
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.