Pentests vs BugBounty for startups and SMBs

I’ve been thinking quite a lot about coming up with a series of articles on how to secure small and medium organizations from the ground up. It was waiting for the right moment and it’s time to start it out, especially that very recently this question appeared on Peerlyst where I’ve put my $0.02 on that subject. So as there is a need for decent guidance, let me welcome you to first article from series “Securing the business from the ground up”. Expect more articles on subject similar to this.

I’ve seen many companies struggling with a choice between penetration tests and bug bounties, and in the era of overhyped BugBounty programs this is a big question, both for PR/marketing and security teams.
There are as many answers to “pentest or bugbounty” as many people you ask. Everyone has slightly different POV on this, so I suggest you to gather opinions from many people and decide yourself what works best for your business.
I want to approach this from a bit different angle than I’ve seen so far, so this should be an interesting read for you.

One of the most common things I observed is that companies want to start too big.
Okay, let’s name it — individuals within a company who were given for some bizarre reason an authority to decide on security want to start big. This is a really big problem in startups.
Please, spend a couple of bucks on consultancy from real security professional, instead of entrusting a security of your organization to someone who’s just not capable of handling it.
You probably wouldn’t let your software engineer to decide on corporate finance strategy, so why would you do this with security?
Back to the main problem. You really don’t need to hire a handful of penetration testers to get it rolling. More than that — good luck with convincing your CFO that out of the blue you need $20k for security engagements. Start small or you may end up with thin wallet and with only minor security improvements. Security is a process and long-term game, and this is how you should perceive it.

In extreme situations, wrongly managed BugBounty program may lead to your organization getting hacked or result in terrible PR and you don’t want any of that.
You need someone to look at the big picture, otherwise who cares about you web app being perfectly secure if your infrastructure is messed up and an easy entry point for an attacker.

So the assumption is that you have a business and want to run vulnerability scans or pentests, or let’s call it security testing as if it’s your first time, you probably have no idea what you actually want and need. I’m a huge believer in people, relationships and social networks. Why don’t you use your connections and colleagues to get a decent security consultant sit with you and find out the best way to do it? I’m often times astonished how little people work with each other.
If you are a business owner you surely know people who know other people willing to help you.
Heck, even if you’re an individual — you lived your life meeting people. Ask your connections on social media(let it be Facebook and/or LinkedIN) if they know someone who could help you and go with it. There is a huge power in referrals and recommendations, and you need it in overhyped and affected by snakeoil industry.
Bug Bounty(BB) is not an ultimate solution to everything and this is a narrative you may see these days. It costs shitload of money, time and security expertise to run effective BB program.
Yeah, expertise, because what are you going to do with bounty reports if you have no idea what XSS means and how to fix it. Don’t get me wrong — BB can be awesome, a few years ago I was big into it. Okay, I was into bug hunting because it wasn’t paid and famous at that time like it is nowadays, but the concept is the same. And because I’ve been there and done that on both sides, I know it’s not the best for SMB which has no idea how to approach security testing.
Here is how I’d approach this and how I like to do these things — but it’s just me, I’m a fan of casual relations and helping occasionally as much as I can. If you need those tests to be certified for some reason then you’ll want to look for big brand pentesting company, but again you face an issue — which of those 9999 security companies should I pick — and that security consultant I mentioned earlier can help you with this either. If you don’t hire him going forward to do actual pentesting, he’s always a valuable asset to suggest where you should go next on your own. Relationships are important and for a couple of bucks you can get a fellow to support your business security-wise for a long time.
This is crucial — every business should have a security advisor, because security isn’t a product or a one time thing. It’s not something you do once on engagement with one company and you’re good forever. Security is a process and you need to have a buddy that will support you along the way.
With BugBounty you’ll get tons of ‘you have misconfigured SPF, gimme bounty you bastards! this bugbounty is fake!’ and not much of valuable support after BB is over.
Finding a pentester or a consultant at this point will make it easier for you to re-engage in the future if you need professional help along the way while you’re growing your business.

Long story short, you should ask your colleagues if they know someone who can help you.
I don’t believe there is any better way to figure out what suits your business most, than having a security professional to analyse your situation on individual basis.
There is no answer that suits all, and if someone is telling you via Internet what’s going to work best for your business — he’s lying, he has no clue.

PS. In most of my articles I am and I will be mentioning startups and SMBs because this is the largest group on the market + big corporations have they internal security teams and they know how to do these things. At least they should know, or just throw big money at the problem and get it solved at some point.
If you also wonder why I’m saying that SMBs have no idea what they want, then it’s pure experience + they wouldn’t be reading this is they knew how to approach security testing.
To be perfectly clear — there is completely nothing wrong with not knowing something, and as long as they’re willing to learn and put in the work to make things better I’m cool with it.
We all started knowing nothing so I do appreciate you reading this and that you want to know more.
Good luck with your stuff and I hope you liked this one.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.