Cobalt has been on the forefront as a Pentest as a Service (PtaaS) platform provider. Having transistioned from a bug bounty approach, we have been running public, curated, and private versions of these for businesses over the years. What we have noticed is that businesses are constantly juggling the trade-off between noise vs. exposure and coverage.
Application Security with Human Hybrid Vigor
Through our experience in these programs we have learned two valuable concepts. The most obvious learning is that nothing beats human logic — both in introducing vulnerabilities, *and *in identifying them — the automatic scanners out there only scratch the surface. In addition, we’ve learned that one size does not fit all. Each application is different, and its security should accommodate those differences.
It’s been an extremely interesting process — turning the different knobs to find a balance that makes sense depending on an applications security maturity level, team size, security drivers (e.g. compliance or internal security standards), and more. And we’ve learned a lot!
There is no doubt in my mind that a bug bounty program is a powerful tool — a lot of issues will surface from them. But, and there is a but, it’s a big job to manage it effectively, too big for most companies out there. I won’t dive deep into these hidden cost today, but feel free to check out one of our previous blog posts for a closer look.
One way to counter the issues of bug bounties programs is through traditional application vulnerability assessments — it’s a tried and true concept. You get structured and guaranteed coverage that is often set at a predictable cost. So it is easy to budget with and you can document the work to your stakeholders. However, too often the actual human testing is done by junior researchers, poorly incentivized working on an hourly pay. Or they may even substitute the human logic and ingenuity for a generic scanner.
Now I come back to the headline of this post, hybrid vigor. The improved functioning of any biological quality in a hybrid offspring. What if we took the elements that make bug bounties awesome — incentives, a qualified and diverse talent pool — and mix it with virtues from the traditional assessment world — structure, coverage, quality assurance, and fixed costs. Furthermore, powering this hybrid with technology that enables integration, communication, and collaboration. Making it a breeze to start and run an application security assessment, as well as making it easy for the DevOps teams to access issues, ask questions if needed, and finally fix them — which is the ultimate goal.
What would we call that cross between bug bounties and vulnerability assessments you may be asking? We call that hybrid offspring the Cobalt Pen Test. We assemble the best team for your company and applications based on the application size and tech stack. This handpicked security team will then deliver guaranteed coverage and actionable issue reports — including a top level executive summary that can easily be shared with relevant stakeholders.
With a security solution like this there are a number of advantages that come to mind: #Humanlogic, #tools_assisted, #great_talent, #feedback_cycles, #ratings, #collaboration, #agile, #integrated.
Feel free to tweet at us with some of the hashtags at @Cobalt.io