Skip to main content

Bug programs: Giving business a security reality check

(Image credit: Image Credit: / Shutterstock)

Globally, the rise of cyberattacks is expected to cost $6tn this year, based on research conducted by Cybersecurity Ventures.  

Here in the UK, fraud and cybercrime saw a threefold spike in the first six months of 2021, according to figures from the National Fraud Intelligence Bureau. In total, £1.3bn has been lost by businesses, compared to £414.7m from the previous year, and reported instances of cybercrimes have seen a seven-fold increases, going from 39,160 to 289,437.  

In a business age where every company, big or small, relies on the internet to operate, none are exempt from a potential attack.  

While it’s easy for organizations to be lulled into a false sense of security because they’ve yet to experience a successful attack, the reality is that it’s only a matter of time. To stay ahead of attackers and tackle the cybersecurity challenges of tomorrow, enterprises need to ensure the right protection is in place. 

Goodbye to penetration testing  

One method businesses are using to grow safely and mitigate the harsh impact of cyberattacks is through a vulnerability assessment.  Here, one of the best ways to be better prepared is through application testing. 

Traditionally, this would have been through penetration testing and certifications. Which, while essential in providing ‘stamps’ that can be shown as evidence to businesses, are increasingly proving to be outdated. In comparison to other vulnerability assessment tactics, pentesting is expensive and can be complicated. What's more, it can inadvertently increase the security threat window because of the lack of validation. In turn, this leaves organizations open to security risks due to the long gaps between each testing.  

So, without pentesting how can businesses successfully assess the vulnerabilities they may be facing? The answer lies in bug bounty programs.

Hello to bug bounty programs  

With a bug bounty program in place, whether it is private or public, organizations have access to several thousand ethical hackers who can detect application and infrastructure vulnerabilities and send real-time updates.  

With pentesting increasingly relegated to the past, and bug bounty programs making their way to center stage. Let’s explore the three ways these programs can give businesses a much-needed security reality check. 

Building trust with customers and stakeholders  

Gaining consumer trust has become a pivotal element for businesses in achieving digital success. Recent statistics show that over half of consumers are more concerned about their online privacy compared to a year ago. And this is only going to continue to rise. Increasingly, online users are becoming aware of the vulnerabilities of using the internet, the cybersecurity attacks they could fall victim to and the risks they face if their data is leaked. As such, businesses must make data privacy and security a priority in order to win customers’ trust and ultimately fuel growth.  

To truly tackle data privacy and security, companies need to be taking a proactive and transparent approach as opposed to reactive, preventative or remedial measures. In doing so, this will significantly help businesses to gain and maintain the required trust with customers and stakeholders. This is where bug bounty programs come into play. It allows organizations to willingly submit exposed scopes to an entire community of hunters, each bringing different skill sets and methods to test the security of applications. The more hunters that can scan and attack the businesses’ given application, the more likely vulnerabilities can be detected, resolved and eliminated.

Working with a verified researcher community  

With traditional pentesting, there is very little room to check the quality of the auditor or tester. This is because the people who end up working on the project may be different to those showcased in the proposal. In contrast, when using a bug bounty platform, businesses can be provided with the details of each hunter that is working on resolving the threats – allowing enterprises to validate any hacker working on their bounty. The business can also easily choose the best-suited hunter, according to their needs, from a pool made up of versatile skills sets that cover a full spectrum of testing.  

For example, certain bug bounty platforms provide access to over 25,000 verified ethical hackers through public bug bounty programs. The unrestricted access to hackers that these platforms provide benefit businesses by identifying and anticipating potential pitfalls sooner, facilitating the sharing of best practices and helping to resolve threats faster.  

Showcase the brand, bring in new business  

Last but not least, the third way bug bounties can give businesses the security reality check they need is by enabling enterprises to promote that security is at the forefront of their mind. Businesses of all sizes are constantly undergoing a digitalization process. From banks turning to mobile apps, through to institutions making the use of public and private cloud. But in order to succeed, organizations need to deliver a superior digital experience rooted in trusted security.  

To gain the trust of customers and stakeholders it is vital to showcase that the business’ products are safe, and that the complementing security framework undergoes a high level of testing by experts during the design and deployment phases. Taking on security threats headfirst, from the start, can help to establish a business as a brand committed to protecting data – a win-win for attracting customers both old and new.  

By highlighting an active commitment to security through methods such as a public bug bounty program, organizations can capitalize on the opportunity to designate the security of products, production process, and platforms as a competitive differentiator. Additionally, with a public bug bounty in place, businesses can be alerted to a vulnerability and automatically include it in their correction cycle. This leaves customers reassured, knowing that the organization isn’t waiting for updates from other vendors to have vulnerabilities fixed. 

Keeping the business moving with the right security 

As digital innovations make the world a faster, better, and more efficient place to work and live, the focus is shifting towards security threats and how best to handle them. Cybercrime has become industrialized and attackers are increasingly poised to create damage. With this in mind, it’s important for businesses to continually take stock of their security and assess how it can be improved. Armed with the right approach, such as a bug bounty program, businesses are well equipped to tackle today’s security challenges.  

What’s more, with effective security, organizations are better placed to improve relationships with customers and stakeholders, as well as showcase themselves to prospective businesses as a trusted enterprise. In doing so, business can move forward knowing their security is keeping them safe while helping them to thrive.

Rodolphe Harand, Managing Director, YesWeHack

Rodolphe Harand, Managing Director at YesWeHack.