A survey of 200 cybersecurity decision-makers suggests the chronic shortage of cybersecurity is driving organizations to embrace alternative crowdsourcing approaches to application penetration testing.
The survey, which was conducted by Enterprise Strategy Group (ESG) on behalf of Bugcrowd, a provider of crowdsourcing platform for cybersecurity professionals, finds almost 90% of companies surveyed are already running, plan to run in the next 12 months, or are interested in running a crowdsourced security program at some point.
The survey also suggests the vulnerabilities discovered by those testers increasingly will be remediated by developers with the context of DevSecOps processes. More than 80% of respondents said their organizations are planning to address cybersecurity processes and controls via a continuous integration and continuous delivery (CI/CD) platform.
David Baker, chief security officer at Bugcrowd, said cybersecurity decision-makers are becoming less concerned about relying on external testers who have been validated. There’s much less of a “fear factor” in terms of being worried about sharing information about potential vulnerabilities with white hat hackers as long as organizations know the information won’t be used to extort money from them before they can address the vulnerability.
Organizations also are beginning to appreciate the economic merits of embracing the “gig economy” to increase the pool of cybersecurity talent they can potentially tap, at a time when it’s hard to recruit and retain full-time cybersecurity researchers, Baker noted.
That appreciation is occurring about the same time as platforms such as Bugcrowd are achieving critical mass in terms of the number of cybersecurity researchers who willing to take on penetration testing assignments, he said. That’s critical, Baker noted, because it creates a marketplace effect where competition between testers helps keep costs under control.
Survey respondents specifically identified paying for cybersecurity testing based on the number of vulnerabilities discovered rather than relying on a traditional time and labor basis (44%) to be the biggest benefit of cybersecurity testing, followed closely by the ability to continuously test applications (42%). A full 60% described next-generation continuous penetration testing as being complementary to their existing approaches to discovering vulnerabilities.
It’s too early to say what percentage of the cybersecurity community will make their services available via a crowdsourcing platform. Bugcrowd said it already makes available penetration testing to customers in more than 50 industry sectors in 30-plus countries. Atlassian, Fitbit, Jet.com, NETGEAR, Square, HP Inc. and Mastercard are among its customers. Longer term, Bugcrowd expects to be able to expand the range of cybersecurity services it provides using a crowdsourcing model.
More than a few of the cybersecurity professionals who do participate in these marketplaces may also have full-time jobs. In an ideal world, organizations are identifying groups of cybersecurity researchers who prefer to engage regularly to ensure the availability of individuals who don’t have to relearn their environment.