Pentesting, Bug Bounties or Automatic Scanning?
When it is time to release a new version of your online service (web application), you hopefully want to make sure your code is not vulnerable, so that you are not the next company in the headlines for a bad reason. There are several examples of companies that went bankrupt after a successful attack and a couple of weeks ago we witnessed one of the largest and most devastating breaches in history.
The world of application security includes many activities besides testing your application — training developers on secure coding and including security in all of the phases of the software development life cycle (SDLC) are some important steps that come to mind. However, the main focus of this post is to discuss security testing.
There are three popular solutions when it comes to testing the security of your service: Penetration Testing (pentesting), Bug Bounties and Automatic Scanning. Which ones should I use and when?
Penetration Testing is basically a security assessment of your web application and/or infrastructure, performed by security professionals. This form of testing is usually the most complete way of testing your web application and you should do it at least once a year, or after major code changes.
It is undeniable that some vulnerabilities can only be detected by humans, computers still cannot beat human creativity. There are vulnerabilities that are really easy for humans but really difficult for computers to detect.
For instance, imagine that after you login into your home banking you see the statement of your account and your account details. You notice that the account number is part of the URL (something like bank.example?account=862173). Then you try to increment the account number and you observe that you got the account details of someone else (by the way, this is a real example). You immediately understand that this is not the correct behaviour of the application and that there is a problem. While this is obvious to you, it is very hard for a computer to detect it, because it lacks context about the application. It would not be that difficult to write an algorithm to detect this particular problem though, but the problem is that this is just one of many examples of a particular context. If the application was a news site and the parameter the ID of the story, then it would not be a vulnerability.
A good pentesting will also involve automatic scanning. There are hundreds of different vulnerabilities and hundreds of different ways to trigger a vulnerability. If the pentester does not use a tool to automate this process, he/she is not being efficient and will probably miss out on finding some vulnerabilities that would be found using automated tools.
When you want many different security researchers around the world to find vulnerabilities in your web application, you can create a bug bounty program. In this case, you pay for each vulnerability that is found and reported. The main advantage over pentesting is that you have many more brains trying to find a vulnerability in your application.
Keep in mind that this usually involves a lot of work on your end, because you will potentially attract a lot of researchers and you will most likely need one person working full-time to handle the burst of reports that you will get (verify if the vulnerability is real, message the researcher back and forth, handle payments, etc).
There are companies that manage bug bounty programs and will unload a lot of work off of your back.
An automatic scanner, as the name suggests, automates tests, in order to identify potential security issues in a web application. It can perform many different types of tests, but the most predominant type of tests rely on the injection of attack payloads and an analysis of the behaviour of the web application after each injection. The main advantage of automatic scanners is that they can scan your application frequently and methodically.
Automatic scanners are traditionally used by security professionals, to help them pentest applications by automating some of the tests. More recently, we have been witnessing a shift in the usage of automatic scanners from security teams to development teams. We believe that this shift is happening because of the emergence of cloud-based scanners that are easy to set up. This shift frees up the security team’s resources, allowing them to focus on more critical projects and provide more guidance on other phases of the software development life cycle (SDLC).
A development team that follows agile development approaches needs to be more independent. They release new versions of their application frequently, they use continuous integration to create automatic development/deployment workflows. And they do all of this for the sake of efficiency. And this is our value proposition. Probely’s main novelty is mainly related to its approach. Unlike most of the competing solutions that target their product at security teams, Probely targets development teams instead, for the reasons mentioned above.
So, back to the first question: Which one of these three approaches should I use and when?
You have probably already deduced that all three complement each other. Pentesting is good because it uses human creativity to find security problems, Bug bounties are good to increase the number of human brains testing your application and automatic scanners are good for regularly testing your applications.
It seems wise and obvious to not start a bug bounty program prior to pentesting or scanning your application. Start with automatic scanning, do pentests annually, use the automatic scanner to provide continuity and after reaching some security maturity, start a bug bounty program.
If you want to take your first step and start scanning your application, start your trial of Probely today.