Back in the autumn of last year, I talked about a vendor – Bugcrowd – that doesn’t simply rely on AI and ML within a microchip, but actually uses real flesh and bone people (AKA ethical hackers) to carry out penetration testing and related security exercises.
Part of the issue for companies in understanding where they sit in the “I’m possibly not as secure as I thought I was” league, is how they can compare their own security infrastructure with peer businesses. Given that I’ve spent an IT lifetime carrying out product and service testing, I was therefore intrigued to see Bugcrowd actually looking to provide this “I’ll show you mine if you show me yours” type of comparison report.
What Bugcrowd is defining as “The Industry Versus Organization Comparison Report” provides a comparison of your company’s performance by benchmarking against a relevant industry – thereby providing a better indicator of how you are performing on the security front. It is also designed to help identify methods of improving operational efficiency, and the current and ongoing costs. After all, how many SecOps teams really understand exactly what their security cost actually is? With the report you can view a snapshot of your company’s health, including your programs, submissions, and funds for a given time period, thereby enabling you to carry out ongoing comparisons and generate data for trend analysis and related activities. Report contents include number of submissions, priority of submissions, unique researchers, number of rewards, number of accepted submissions and number of fixed submissions.
The importance – whether a security vendor or an end-user company – in understanding just how secure you are has been magnified with another recent Bugcrowd announcement. Its customer ExpressVPN has increased its bug bounty reward tenfold to $100,000 to researchers using Bugcrowd’s Bug Bounty solution who can find and demonstrate a critical security bug on ExpressVPN’s in-house technology, TrustedServer. My mate Jan in Belgium might be interested 😊
The point is, if you offer one of the largest VPN services in the world, on the basis of its security credentials, you might as well spend the $$$ to make sure it actually is secure in the first place! Watch this space on that one (and ExpressVPN’s bank balance).