Leverage a Crowd for Security Testing
September 24, 2015
As a follow-up to my recent post on 5 Ways to Improve Your Security Program, I wanted to dig in more on the best practices for security testing.
- Static Application Security Testing (SAST): This is the testing of an application from the inside out. This method includes scanning source code, byte code, or application binaries for vulnerabilities.
- Dynamic Application Security Testing (DAST): This is the testing of an application from the outside in. This type of testing is done on a running application using a tool. In some cases adding human expertise on top of the penetration testing software.
When done correctly, both of these testing approaches are equally important. For the purpose of this blog, we are going to discuss our approach to DAST.
Jive’s Approach to DAST
For many years, our approach to security testing has included scanning our source code or application binaries using some of the leading scanning products and running dynamic scanners while leveraging a manual pen-tester. Applying both methods required significant time from our security experts to validate the reported vulnerabilities. The majority of the findings would be false positives. In addition to running our own tools, we would also engage a third party vendor to perform the same testing. Third party testing is critical component of a testing program.
Third party application testing companies utilize a combination of skilled security teams, customized scanning tools, and proprietary methodologies to test applications. Results from these tests can be applied in a variety of ways, but we use them to assure our customers that we have done a reasonable amount of testing on our software.
There are downsides to using one pen-testing company every time. Here are some of the issues we have discovered:
- A Uniform Testing Approach: Using the same approach of testing doesn’t allows give you a comprehensive test.
- Testing Fatigue: The testers get too comfortable with your application and begin to make assumptions from previous tests. They may not thoroughly test areas of the software that they deemed secure in a prior test.
- Windows of Exposure: The costs of these tests are significant, so most companies will perform the tests annually. This leaves a lot of time between tests where vulnerabilities could be introduced into your source code.
- Humans Alone Cannot Scale: Testing companies, just like internal security teams, are limited to the skill set of their employees. There are too many technologies to have an expert in all application areas.
For many years, we would rotate third party testing companies to get a different approach to testing our software. These companies would identify security vulnerabilities, but we felt that they did not find enough. As a result, we started to investigate a crowdsourcing approach to security testing.
Crowdsourcing Security Testing
Crowdsource security testing has become a popular approach to testing. It allows a broader scope of individuals with different skills to test your software. Many companies offer a bounty for security vulnerabilities reported by their users. This approach incentivizes many people to find issues. Unfortunately, we felt that the bounty approach was not suitable for our platform. We did not want unstructured testing on our product that hosts many our customers. This type of testing could impact the availability, performance and the security of our customers. We were not willing to take this risk.
We still wanted to leverage crowdsource testing, but we didn’t want our product exposed to the world. Finally, we were introduced to Synack. They offered a structured approach to crowdsourced testing. Their approach includes:
- A private and secure platform – All testing activities are safely and securely conducted via a full packet capture gateway and analytics platform. This technology provides the enterprise with a level of monitoring and control previously unavailable in exploitation discovery. Coverage maps, detailed vulnerability reports and even the ability to start and stop discovery activities are available in real time.
- Highly-skilled, vetted researchers (testers) – Their researchers are vetted for skill and trustworthiness before they’re admitted to the platform. Since Synack is able to carefully select researchers based on areas of expertise, they aim to piece together a crowd of diverse skill sets.
- Actionable results, not alerts – All the reported findings have been carefully reviewed by an internal operations team before they are shared with Jive. This eliminates the majority of reported false positives.
Synack has identified vulnerabilities that would otherwise be missed across our attack surface because of the limitations of the automated scanning tools. Since this a subscription service, we are also able to easily issue a quarterly report to our customers, explaining the importance we place on their security. There are many other crowdsourced security companies, and we encourage you to talk to several solutions to find the right service to meet your requirements.
Learn more and get the insight you need to build a thriving digital workplace.
See how Jive works.
Request a personalized demo.
See for yourself how Jive can drive productivity and engagement across your
organization. Get a free personalized demo.