Can Crowdsourced Security Replace PenTest? – Part 1
Crowdsourced Security (security model utilizing outsourced resources) has become popular. It’s to the extent that some companies replaced the traditional Pentest method with a Crowdsourcing platform. The platform is dedicated to testing the security of its applications and infrastructure. Why is Crowdsourced Security a trend, and what are its advantages and disadvantages? Which businesses should use Crowdsourced Security? Let’s find out in the following article.
I. What is Crowdsourced Security?
Basically, this is an extended form of traditional security (pentest) in terms of human resources. Instead of having only 1 Pentester with a specialized skill and a method, now an entire community can take part in the security process and limit weaknesses that existed in traditional security testing.
Now instead of one expert tester, you have dozens or hundreds of experts working together to find vulnerabilities in your website. That is the strength of Crowdsourcing Security.
II. Weakness of traditional Pentest
Pentest (penetration testing) has been known as a security solution for a long time. Companies use this method to test their products under the watchful eyes of hackers. Unfortunately, this method has many inherent weaknesses.
Continuous development and delivery cycle
While security testing has traditionally been an annual activity for many companies. It has no longer kept up with the pace of deployment. Weekly and daily updates keep the software constantly changing. Security testing can give a rating at a specific time, but any update to the software can bring in new features. Thus leads to new vulnerabilities. These vulnerabilities make traditional security testing meaningless in less than a week.
The most obvious workaround to this problem is to perform regular security testing. However, it is difficult for you to have enough financial resources to maintain this. Especially when you still have to pay even if the security testing process does not discover any vulnerabilities.
Pentester has to work under time pressure
Time is a luxury for Pentesters. In a 5-day security test, Pentesters spend one day ‘writing the report’. On the second day, they usually just use automated tools to assist in collecting data about the target. The remaining three days are spent trying to exploit the vulnerabilities manually.
Even when a noticeable error message is detected – possibly a sign of a vulnerability. Testers may still have to ignore it due to time constraints.
Skills and Testing Methods
We all know that technology platforms have become more complex, diverse, and rapidly changing. While a Pentester can easily test PHP with a SQL backend and a frontend written in Angular.js. They may have a hard time dealing with Ruby, or learning the features of EmberJS.
In addition, a tester also has to take charge of a distribution network and cloud storage configuration and you can see why one individual might not be able to spot all errors in one attempt. Many companies are well aware of this problem and offer a solution to ‘rotate’ security testing. This means someone else will need to do security testing for the next time. So that different bugs can be found.
This can solve the problem, but on a very small scale compared to Crowdsourced Security. The problem with security testing rotation in companies is the lack of Pentesters. I’ve seen this rotation process lead to a problem where the same Pentester is testing the same page from last year.
This is the act of making things worse than it seems. It is also the reason why no one in the information security industry has ever encountered a blank security test report. Everyone in the industry is obsessed with having ‘something’ to write about in a report, even if there is nothing to write about.
This is why you will come across security test reports filled with things that are worthless and can’t be taken advantage of immediately.
This is one of our own mistakes as an industry and as security experts. Traditional security testing companies have become complacent and include ‘flaws’ in any report. They do it simply out of fear that a competitor will write a ‘better’ report with more “ flaws”. This is an act of mutual self-harm that puts the value of two security testing companies in the balance.
Similarly, customers do not make any trouble or ask for proof but immediately pay. This is due to a lack of security knowledge and not accurately understanding the risk of each type of attack.
Recruiting and retaining Pentesters is expensive. There are not many Pentesters due to the nature of the job that requires many combined skills. Thus, the salary for Pentester is very high. Besides, to perform security testing, you need to plan 4 to 6 weeks in advance. And this process can take longer if security testing requirements become more ‘specific’. For example, you have only one phone application that you want to test or require reverse engineering to a certain “product A”.
In short, these are the problems and challenges that traditional security testing faces today. Follow the second part to learn how Crowdsourced Security testing solves these problems. And whether this approach can completely replace Pentesting or not.