I have a 12-year-old daughter, so I’m accused of being “old” most days. This, coupled with my current guilty-pleasure Netflix-watching of Younger, is making me think a lot about how people are adapting to the current trends in technology. This is especially true for bug bounty programs, which, like the Nintendo Game Boy and MTV, have been around since the ‘80s, even though other penetration testing methodologies have debuted in the intervening decades.
Synack is as familiar with bug bounty as fellow elder millennials are with roller skates and hair spray. We have quite a few federal contracts with “bug bounty” in the title, frequently receive inbound requests for assistance with bug bounty programs and have all read Nicole Perlroth’s retelling of bug bounty’s history in “This is How They Tell Me the World Ends.” (Shout out to Synack CEO Jay Kaplan, who is mentioned on page 168!)
We love discussing bug bounty and how we’ve re-imagined it with our Penetration Testing as a Service (PTaaS) offering. Sometimes, this evolution resonates immediately, but other times, organizations looking to manage the bounty pool themselves and directly interact with researchers don’t understand what PTaaS can offer that a traditional bug bounty program can’t.
I’ve realized that not everyone responsible for building, testing or deploying mission or revenue-critical software knows what bug bounty is—nor should they. The things they do know are:
- Pentesting is killing their cycle time to production, adding weeks if not months to their timelines
- Their team or program is currently only pentesting in production
- The AppSec tools they’re using are only as smart as they are trained
- In the federal landscape, if they need an authority to operate (ATO), they are number 93 on the list for pentesting
How do we bridge this gap between the need for less noise from security providers and more alignment in staging and production testing?
The answer is with software, specifically a testing platform with unique capabilities around human and machine-led research that integrates with the software development lifecycle (SDLC). In this scenario, this same platform identifies critical vulnerabilities sooner, using a community of elite and highly vetted security researchers. Once a researcher submits a vulnerability, it’s verified for exploitability, allowing security teams to prioritize time and patch what matters most. Perhaps even more important, this same testing platform alerts the security researcher who discovered the vulnerability to verify the effectiveness of an applied patch.
We know that patch times will need to come down to minutes in this new chapter of AI tooling used by our adversaries. In the not-too-distant future, the cyber war will be AI vs. AI. This will call for a significant increase in pre-production testing earlier in the SDLC – or better yet, leveraging data from your pentesting program to help development teams avoid introducing vulnerabilities in the first place.
Are you “old” for using a bug bounty program? No. If that’s your remit and you believe bug bounty can affect the state of your public-facing, internet-connected environments, then you should do that with a platform that cherry-picks the best aspects of bug bounty and penetration testing to deliver a more comprehensive approach. You don’t even need to remember how to roller skate.
