Beyond Bug Bounties: Crowdsourced Security Testing EvolvesBugcrowd's David Baker on Targeted 'Researcher Grants,' Waning 'Crowd Fear'
Crowdsourced bug bounty programs help organizations identify severe flaws in their IT infrastructure, apps or other code. Now, that model is being used to help organizations perform more widespread security testing, including penetration testing as well as deep dives by single researchers, says Bugcrowd CSO David Baker.
"Traditionally ... you've had a large group of people sort of gamified - the first one to find a bug gets paid, and so that tends to work very well," Baker says.
But as technology evolves and more web and mobile applications rely on APIs, more specialized types of technology review and testing need to be brought to bear, he says. That's given rise to Bugcrowd's more "gig economy" approach, called researcher grants. "We will give a certain researcher a certain aspect of that technology to look at and research," Baker says, and then that researcher will produce a report with detailed findings that can also be used to also satisfy audit requirements.
In a video interview at the recent Infosecurity Europe conference, Baker discusses:
- The state of the crowdsourced security testing market;
- The evolution in trust as well as reward mechanisms;
- The role of penetration testing.
Baker is CSO of Bugcrowd. He has more than 20 years of experience in enterprise data security, IT and government computer research.