Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Crowdsourcing application security closes the automated assessment gap

George V. Hulme | June 8, 2017
Crowdsourced pen tests aren't for everyone, but for one SaaS provider they help identify software flaws that automated tools may miss.

Most understand the benefits of software security code reviews or bug bounty programs. A crowdsourced penetration test combines some elements of both: crowdsourced code review with the structure of traditional pen tests -- only a crowdsourced application pen test is limited to security researchers who are established with a third-party. Think of it as a private, but third-party curated, software assessment.

Lahiri and his team decided they’d scope a crowdsourced penetration test. “We asked them to conduct a deep dive into the platform, and scoped it out so we could learn if researchers could perform functions that they shouldn’t have permissions for,” Lahiri explains. “We found very quickly that we were going to get value from these assessments,” he says. While the Cobalt assessment didn’t locate any urgent vulnerabilities, which is a testament to the internal testing the Egnyte team conducts, they did locate several low and medium vulnerabilities that would require remediation. “I knew at that point no matter what automated tools are available on the market, this is the type of service that we would always need to leverage as we grow,” he says.

With those results in hand, Lahiri sought to apply crowdsourced penetration tests to their mobile development. And as Egnyte started developing more mobile apps, they realized there was a limited number of effective mobile application security testing tools on the market. “We moved mobile testing to Cobalt and crowd-sourced assessments,” he says.

When it comes to software security, Lahiri is reasonably confident in Egnyte’s internal release criteria, which includes quality assurance and regression tests, automated security checks, as well as regular periodic software security assessment scans on their public-facing and production applications. But they’re never going to find everything. With the crowdsourced pen testing, Lahiri says that they have found and fixed things that needed attention. Most would certainly agree that makes the extra effort worth it.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.