WavebreakmediaMicro - Fotolia
Bugcrowd Inc. continued its expansion beyond bug bounty and vulnerability disclosure with a new, member-driven penetrating testing service.
Citing a need for a penetration testing services that would fit into enterprises' operational and budgetary models, the company launched the Bugcrowd Classic Pen Test. The new service is based on the same crowdsourcing platform Bugcrowd uses for its outsourced bug bounty and vulnerability disclosure programs and enables organizations to launch pen tests in less than 72 hours, according to the company.
One component of that platform that enables those reduced times is Bugcrowd's CrowdMatch technology, which is essentially a match-making service that connects verified members of the company's platform with the skills and expertise an enterprise is seeking.
"It's really about finding the right crowd. We have this large database of people with their skills, and what they are interested in working on. We have trust levels, ID, background verification and more," said Mark Milani, global head of engineering at Bugcrowd.
Using the crowdsourced model will help Bugcrowd avoid some of the traditional problems enterprises face with pen testing, Milani said. "Typically, they have salaried pen testers and long lead times and delays, and maybe those pen testers have the skills, maybe they don't. Then you have, on top of it, the setup times that it takes to do a traditional pen test; those have all been reduced."
Bugcrowd focused on penetration testing services when it launched in 2011 and later shifted more into bug bounty programs. The company launched its Next Gen Pen Test service in 2018, which is on-demand and based on incentivized pricing. The new Classic Pen Test is more about prescriptive pricing; in other words, Milani said, the Classic Pen Test service features a flat rate, instead of paying the members according to the results of the test.
Costs of pen tests can be expensive, not only in the initial price of finding and contracting a test, but also in terms of operational delays and the ability to integrate the findings. According to Milani, the crowdsourcing component can help fill some of the gaps that smaller organizations have.
"Certainly, in midmarket, people are coming to us and saying the scheduling is too far out and it's too expensive. In a small company, you need to rotate pen testers," Milani said. "With the crowd, we can rotate them ourselves because we have a flexible workforce. Our view is we believe we can bring a lot of capabilities with what we can do with crowd. We can lower the cost and then bring high value, because we're bringing the crowd in who has been matched to your case."
In an interview at RSA Conference 2020 earlier this year, Bugcrowd Founder and CTO Casey Ellis said the company would explore new ways to utilize its hacker community to address organizations' needs amid the security workforce shortage. "We have years' worth of historical data about what makes a good hacker," he said. "There's this huge body of people that have answers to the questions this group wants to ask, so we want to make as many connection points as we can."