The rapid pace of application development today can be hard to keep up with, especially when it comes to security. Combining the benefits of continuous testing with the incentives of a crowdsourced bug bounty program seems like a potentially effective way to address that volatility effectively.
Companies need to keep up with demand while staying one step ahead of the competition. It’s very easy in such a dynamic environment for security to fall through the cracks, or be ignored entirely. Combining DevOps-style automation with crowdsourced intelligence is a good approach.
Bug bounty programs have matured and gained mainstream acceptance in recent years, thanks in large part to the leading champion of bug bounty programs, Katie Moussouris. After launching Microsoft’s successful bug bounty program, she left to join Hacker One as Chief Policy Officer. She recently ventured out on her own as a bug bounty evangelist and consultant under the banner of Luta Security.
The concept is simple: Rather than pretending vulnerabilities don’t exist, or sitting around waiting for the bad guys to exploit the vulnerabilities first, a bug bounty program provides financial incentives for hackers and/or security researchers to identify and report flaws. The net result is a win-win-win that results in more secure applications, happier customers and satisfied security researchers who feel appreciated—and paid—for the work they do.
That is where Cobalt comes in. “I’m impressed by how Cobalt has built its model by taking the best elements from the bug bounty space, which offers rewards to those in the security community who can identify software vulnerabilities, and combining them with a scalable, continuous penetration testing platform,” said Robert Fly, an investor and advisor with more than 15 years of application security experience from Microsoft and most recently Salesforce, where he built the product security team and was VP of Security Engineering.
“Companies building web and mobile applications need the flexibility to quickly develop new applications that delight their customers, while ensuring that their applications are secure,” said Jacob Hansen, CEO of Cobalt. “Instead of needing to invest in security tools, such as scanners and penetration tools that are expensive and vary in quality, and having to hire security staff or consultants, our customers rely on Cobalt to provide transparent continuous application testing services, leveraging a powerful platform along with a global community of security researchers.”
There are a variety of well-known software-as-a-service (SaaS) companies already using Cobalt, including GoDaddy, Wix, Weebly, Nexmo and Optimizely.
At face value, this seems like an awesome strategy. Only time will tell how it really plays out, but the success of bug bounty programs when it comes to finding and fixing vulnerabilities in general is indisputable, and continuous testing is a staple of DevOps environments. Combining the two should raise the bar for application security in general.