Vulnerability hunting in the era of DevSecOps and surging CVEs

Digital transformation is spawning new attack surfaces and fuelling a surge in new vulnerabilities – leaving traditional security testing methods ill-equipped to meet today’s security and compliance demands.

So how can overstretched security teams secure proliferating attack vectors against fast-evolving attack techniques? How can they find, fix and prevent vulnerabilities without slowing an accelerating release schedule? And how do they prioritise remediation when there are too many vulnerabilities to patch all at once?

Addressing these challenges – especially with stagnating budgets – requires a security testing regime that is continuous, adaptable and scalable. Recognising the limits of traditional vulnerability assessments, growing numbers of CISOs are therefore choosing to crowdsource their hunt for vulnerabilities.

‘Like a continuous, never-ending pen test’

In contrast to time-boxed pen tests undertaken by small teams, bug bounty programs continuously draw on the diverse skillsets of tens of thousands of ethical hackers. This agile, platform-driven approach shortens detection and remediation times, and accommodates both CI/CD and waterfall development models.

Resource pressures, meanwhile, are eased by results-based pricing and a triage service that delivers only valid, actionable reports. And the number of vulnerabilities created in the first place can be reduced since real-time dashboards and interactions with security researchers can instil secure development practices.

Having experienced these benefits as a YesWeHack customer, Michael Gillig, senior project manager for security at TeamViewer, described bug bounty as “like a continuous, never-ending pen test with a large number of resources”, and one that “generates less management overhead”.

Bug bounty and compliance

Bug bounty is only becoming more appealing as new cyber-security laws reach the statute book. Take NIS 2, the wide-ranging EU directive, which the UK’s impending NIS update will likely closely align with. The NIS Cooperation Group has issued guidelines that explicitly endorse bug bounty, while the Digital Operational Resilience Act (DORA), which applies to financial services firms operating in the EU, demands proactive, continuous and targeted risk identification.

Organisations often run bug bounty programs with the ultimate goal of expanding this continuous vulnerability audit to encompass their entire attack surface. In the meantime, a co-ordinated vulnerability disclosure policy (CVD or VDP) provides an invaluable channel for receiving reports in any out-of-scope assets.

VDPs are increasingly more than just an optional extra. They are recommended by NIST, ENISA and CISA, required by ISO standards 29147 and 30111 and mandated by the EU’s Cyber Resilience Act (CRA) and the UK’s Product Security and Telecommunications Infrastructure (PTSI) Act.

YesWeHack can help you create a branded VDP in accordance with industry best practices and your requirements. Communication with vulnerability reporters is end-to-end encrypted and our triage service ensures you receive only valid, actionable reports.

‘All hazards’ attack surface management

NIS 2 demands an “all hazards” approach to risk mitigation. Such a no-stone-left-unturned ethos is intrinsic to continuous threat exposure management (CTEM), a five-step model for continuously mapping your attack surface, identifying vulnerabilities and prioritising the most pressing remediations. Gartner predicts CTEM adoption could result in a two-thirds reduction in breaches.

YesWeHack’s Attack Surface Management (ASM) product implements CTEM with the added benefit of integrating, into a unified interface, vulnerabilities from multiple channels: automated scanning by the ASM, bug bounty, pen testing and VDP reports. This risk-based approach offers continuous, real-time visibility of your “real” digital footprint and exposure to known vulnerabilities, automated prioritisation of vulnerabilities based on evaluation of “true risk” (not just severity), and strategised security testing and remediation to tackle the most critical vulnerabilities at scale.

‘Cheaper than pentesting’

But isn’t bug bounty best suited to larger businesses with significant resources?

Not so. As one of our clients, the CTO of a trust service provider, reflected: “The opportunity to pay based on results is very important for a small organisation like ours with limited budgets.” Indeed, another client estimated that bug bounty is typically 90 per cent cheaper than pen testing.

Whatever your goals, budget and security maturity, a bug bounty program can be continuously finetuned in line with your remediation capabilities and priorities. Levers you can pull include adding scopes, increasing bounties, rotating researchers or even launching a public program open to all registered bug hunters.

YesWeHack minimises your workload with extensive support (including optimisation of the above parameters), an in-house triage service, automation and collaboration features, plus integrations with your internal workflows and tools.

Beat the bad guys

Your internet-facing assets are surely already being targeted by malicious hackers. Motivated by financial rewards and a points/leaderboard system that unlocks more earning opportunities, our “ethical” hackers can help you find and fix vulnerabilities before the bad guys do.

For added reassurance, our hunters are thoroughly vetted and must sign terms of service committing them to abiding by your program rules – and shouldering personal liability for any violations. Their activities can also be monitored using a VPN or user-agent.

We’ll conclude with a message from Yann Desevedavy, bug bounty program manager at Orange: “Bug  bounty is becoming a security standard and is the way to take your vulnerability research to scale.”

The YesWeHack platform, which combines Bug Bounty, VDP, Pentest Management and ASM solutions, can cost-effectively scale your security testing and enable risk-based vulnerability management. Get in touch with our sales team to find out more.