Crowdsourced Ethical Hacking – A short-lived trend or the future of penetration testing?

What is Crowdsourced Ethical Hacking?

Typically, companies commission specialized IT service providers to carry out penetration tests of web applications and networks. These service providers function like doctor’s offices. You make an appointment and a few weeks later the assigned experts take care of the project. However, for several years now, companies have had the opportunity to take new paths and rely on swarm intelligence when carrying out penetration tests. So-called crowdsourced penetration testing platforms make this possible. They maintain a global network of on-call pen testers who can search for vulnerabilities 24/7. The pentesters receive bonuses for verified vulnerabilities based on their success, similar to so-called bug bounty programs. Crowdsourced ethical hacking is a form of the gig economy in which the platform acts as an intermediary between the client and the contractor and accompanies the service processing.

What are the benefits of crowdsourced ethical hacking?

Crowdsourced penetration testing platforms advertise a lot of advantages over classic pentesting, including:

Access to a variety of skills

In times of a shortage of skilled workers, it is very difficult to find suitable pen testers. Through crowdsourced ethical hacking platforms, companies have access to a global pool of ethical hackers with diverse skills who, together, are able to keep up with the rapid developments in the field of cybercrime.

Superior technology

Crowdsourced ethical hacking platforms are often more than just an intermediary and throw technology into the mix that a single pentester or small service provider cannot offer. These technologies aim to make the work of ethical hackers on the platform as easy as possible and can automate certain parts of penetration testing.

Continuous testing and rapid operational readiness

Crowdsourced pentesting allows clients to have applications and systems tested permanently. This continuous approach fits very well with the way modern software is developed today. In addition, the lead time is very short. Normally you can start your project in just a few days.

Better incentives

The ethical hackers on the platforms are paid based on their success for vulnerabilities they find and verify. As a client, apart from the basic fees for the platform, you pay for the results of the test activities and not for the time spent.

What are the disadvantages of crowdsourced ethical hacking?

Trust in the platform selection process is necessary

Pentesting necessarily means disclosing sensitive information to an outsider. You have no personal relationship with anonymous pentesters from the “crowd,” which is why you have to trust the provider’s screening process. Of course, all major platforms ensure that they carry out a rigorous selection and monitoring process and actively maintain their hacker community. Nevertheless, the uneasy feeling remains that actors with evil intentions could be on the platforms.

Limited area of ​​application

A lot has happened in the crowdsourced ethical hacking market in recent years, but the platforms are primarily suitable for pen testing web applications and perimeter assets. Internal penetration testing is practically more difficult for providers to implement. However, due to increasing networking and ever-increasing entry points, internal pentests are becoming increasingly important.

Fluctuating costs

Costs for most providers are very variable and therefore difficult to predict. Some providers offer a monthly flat rate, but this represents a high barrier to entry. No matter how the remuneration model is designed, it can be very expensive for the client. Therefore, crowdsourced pentesting is best suited for large companies that already have a lot of experience with pentesting.

Questionable compensation models

Only a small proportion of hackers on the platforms earn significant income through rewards. There is a high risk that the effort and earnings are not in the right relationship, e.g. because you are not the first to discover a vulnerability and therefore come away empty-handed. Fortunately, platforms are increasingly starting to pay for activities carried out.

A look behind the scenes

The above points of criticism are by no means the only ones. In an investigative article by J.M. Porup allows you to take a deep dive into the problems facing the industry. You can find the article here.

Well-known providers on the market

Below I would like to briefly introduce three well-known players on the crowdsourced ethical hacking market:

HackerOne

HackerOne brings together the largest hacker community, has the most customers and has paid out the most rewards to date. The platform offers some crowdsourced security services, including penetration testing. The platform lists the following product capabilities:

  • Web- and Mobile Applications
  • External Network
  • Internetfacing Infrastructure

Hier geht es zu einer Übersicht.

Bugcrowd

Bugcrowd is number two in the market and very similar to HackerOne. In Penetration Testing Services, Bugcrowd offers the following:

  • Web App Pentests
  • Network Pentests
  • API Pentests
  • IoT Pentests

Many hackers are registered with both Bugcrowd and HackerOne.

Synack

Synack is significantly different from the other platforms. On the one hand, the hacker selection process is much more demanding, and the platform also uses a different pricing and remuneration model. Overall, this means that the barrier to entry for customers and ethical hackers is higher. What’s also interesting is that Synack is very keen to support pentesters with technology, such as AI-supported scanning through the platform itself.

Conclusion

Crowdsourced ethical hacking is a really exciting phenomenon and global players in particular don’t seem to be averse to the concept. In the area of ​​web application pentesting, the platforms offer an interesting alternative to classic penetration testing. However, as shown, there are some negative aspects in the industry that we hear surprisingly little about from the platform provider camp. In the area of ​​network penetration testing, I see no need to rely on crowdsourced ethical hacking in the long term. In this area, the level of automation is constantly being increased using software solutions, ultimately reducing the need for manual activities that have to be carried out by people. In this area, I would therefore rely on Breach and Attack Simulation and Automated Penetration Testing Tools instead.

Picture of Dennis Kionga

Dennis Kionga

Autor

Dennis is managing director at Cloud Cape, an IT services company that implements and operates future-proof IT security and cloud solutions. Previously, he worked as Business Development Manager in the Lufthansa Group, where he took responsibility for the global sales of outsourcing solutions for airlines. He completed his studies at the University of Mannheim and earned a Master of Laws (LL.M.) and a postgraduate certificate in project management from the University of Cape Town. During his career he had longer stays abroad in Portugal, the Czech Republic and South Africa.

Kategorie

Uncategorized

Picture of Dennis Kionga

Dennis Kionga

Autor

Über Cloud Cape

We help companies create transparency in their own IT landscape and accompany them on the path to secure digital transformation. As a ‘cloud-first’ company, we specialize in cloud solutions and cloud security.

Follow us