Crowdsourced Penetration Testing

What is penetration testing?

In a penetration test or pen test for short, authorized hackers simulate an attack on a specific application, site or set of apps and sites to assess their security. A pen test is designed with a specific goal in mind, such as to gain privileged access to a sensitive system or to steal data from a system that is believed to be secure1.

Common Threats

Today’s applications and sites rely on data from more sources, leverage more packages, deploy on a greater variety of cloud infrastructure and serve users on a greater diversity of devices.

For all these reasons, keeping an eye on the annual OWASP top ten application security risks, and comparing it to your current and planned tech stack, is vital2.

Injection flaws, improper authentication, and exposing sensitive data top the most recent OWASP list. Security teams are wise to also watch for emerging threats like dangling DNS names and leaked API credentials.

Why crowdsourced penetration testing?

Traditional “point-in-time” pen testing by a small team of researchers is expensive and simply can’t keep pace with today’s continuous delivery (CD) software model. Instead, companies are tapping into the global community of white hat hackers to stay secure while they continuously innovate. With HackerOne’s global hacker community, you benefit from the diversity of skills, “on-tap” availability, and cost-effectiveness you need. In fact, HackerOne penetration testing customers see up to 600 percent ROI compared to traditional pen tests.

1. Daniel Miessler. 2015. “Information Security Assessment Types” Last modified April 4, 2018.
2. See https://www.hackerone.com/blog/OWASP-Top-10-Web-Security-Risks-2017-Flashcards

    The HackerOne Approach

    HackerOne believes in a custom approach because every security team is different. We work intensively with hackers on your behalf to provide the best reports and vulnerabilities your team is looking for. This ensures your team can focus on what matters most - fixing vulnerabilities and keeping customers safe.

    HackerOne Challenge: Timeline

    Sign Up with HackerOne

    Phase 2 - Launch

    • Launch Program
    • Update Security Page
    • (H1) Triage Incoming Reports
    • (H1) Manage Bounty Payments
    • (H1) Provide Updates on Progress
    •  

    Phase 1 - Preparation

    • Process Recap/Overview
    • Test Plan
    • Policy Guidance
    • Bounty Payment Guidance
    • Establish Testing Window
    • Pre-Seed Hacker Invites

    Phase 3 - Debrief

    • (H1) Deliver Challenge Report
    • Meet with H1 to Discuss Results
    • Provide Feedback + Q&A
    • Discuss Future Engagement

      Benefits of crowdsourced pen testing

      Compared with traditional penetration testing, crowdsourced solutions like HackerOne Challenge provide tangible business value in the following three ways.

      Speed

      You get more security professionals testing your attack surfaces. Dozens to hundreds, compared to the 1 - 3 of a traditional penetration test. This translates into faster vulnerability identification and a shorter risk window.

      Skills

      You get more diverse skills. A hacker-powered penetration test harnesses the power of more hackers with more diverse approaches, increasing the likelihood of finding hidden, severe vulnerabilities.

      Value

      Paying for results, not time spent means more bang for your buck. Hacker-powered pen tests are a cost-effective means to find as many vulnerabilities as possible, quickly, at the lowest possible cost. In one comparison of a traditional pen test to a hacker-powered pen test, the traditional firm found three vulnerabilities in the client organization. The hacker-powered penetration test found those three and 60 others.

      Key elements that are tested

      HackerOne pen tests can simulate the full spectrum of attack vectors, and we will work with you to scope the project for your needs. In addition to the OWASP top ten, common pen tests include DoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated cyphers, cross-site scripting (XSS), and more.

      Harnessing the power of your private crowd

      HackerOne makes it easy to ensure the best-fit hackers participate in your penetration test. HackerOne provides several layers of control for selecting, inviting, and approving hackers based on their Reputation metrics, past program participation, specific skills, and more.

      You identify and select hackers based on their activity on other bounty programs, as well as their Signal, Impact, and Reputation scores.

      Each hacker’s profile page contains not only their Reputations metrics, but also their “hacktivity”, number of bugs found and thanks received, and badges earned. Hackers can also add skills to their profile by submitting relevant reports, which are individually reviewed by our hacker success team.

      Some pen testing clients require specific controls for their hacker-powered pen testing programs. These can include non-disclosure agreements, application processes, and background checks.

      Non-disclosure Agreements
      Non-disclosure Agreements

      Every hacker on the HackerOne Platform agrees to “Finder Terms and Conditions”, which include a provision covering confidential information disclosures. Customers may choose to employ additional confidentiality language to their HackerOne pen testing page.

      Application and Evaluation Process

      Custom eligibility requirements can be enforced through an application process, where hackers are selected based on experience, skills, location, or other criteria.

      Background Checks

      HackerOne can facilitate background checks as a prerequisite to program participation.

      Put hacker-powered penetration testing to work for you

      With modern hacker-powered pen tests, you tap into more of the best talent, without the huge initial price tag. The hacker-powered model has been proven to deliver immense value, with customers reporting 6x returns.

      Our report, Hacker-Powered Pen Tests and the Power of More, reviews the hacker-powered pen test model, outlines the good, bad, and ugly of traditional pen tests and presents a side-by-side comparison of the two approaches.

      Get The Guide

      Download the resource today and see how HackerOne’s hacker-powered pen testing solution, HackerOne Challenge, is a must-have inclusion of your appsec strategy.