Let’s start with a simple definition: on the one hand Pentest (abbreviation of penetration test) is a way for a company to challenge the security of its digital platform with security testing performed by a company specialized in cyber security. On the other hand, Bug bounties platforms (that first appeared in the United States and are now spreading to Europe) allow independent hackers to perform security testing on web platforms. Now the big questions are : what are the main differences between pentests and bug bounties, and how to decide which one is for you?
What are the differences?
When you decide to conduct a pentest, you definitely chose a structured approach: a security audit based on a strong methodology, which goal is to find all potential vulnerabilities that can be found on the platform that is tested. This audit has a beginning and an ending, the schedule is set up according to the client’s needs. Then the audit can be renewed on a regular basis.
Moreover, the client has one contact person, with whom he can discuss about the flaws that are found, about the actions that should be taken to fix them and about the specific risks threatening their industry.
Exposing a web application on a bug bounty platform means allowing bug hunters to be rewarded for their exploits. This opens the process to potentially many people. These people will go on a hunt whenever they want or have time for it. When they find someting they will notify the client through the bug bounty platform.
To run a pentest you first sign a contract with a cybersecurity company. Then the service provider has legal obligations and is responsible for the work of its teams. This includes confidentiality as well as responsibility in case of an incident and quality of the security testing. Like any service provider in any industry, the cybersecurity company’s reputation and its very existence is at stake.
Furthermore, the client knows when the pentest is being conducted, what IPs are used by the security testing team, which phase of the audit is currently running… The client can also ask for specific restrictions, or on the contrary for a special focus on certain parts of the application. it is reassuring to have a direct communication with the team in charge of the pentest.
If a company is looking for a tailored service, adapted to its business context, a pentest is the right option.
Bug Bounties pros
The main advantage is that bug bounties allow continuous security testing by a (potentially) vast number of people. Bug bounty programs are crowdsourcing adapted to the security industry.
For a company that is confident about its security level and resistance against hackers, it can be an interesting challenge to expose its website on a bug bounty platform in order to have additional security feedbacks.
Choosing according to its needs and level risks
Performing a pentest is a must in several cases:
- For a first security audit: if a web platform has never been pentested, then it is likely that there are important flaws in it. Working with a cybersecurity company will ensure that security testing will be precisely controlled, that risky testing will not be run without letting the client know about how and when, and that cybersecurity experts will always be available for direct discussion and explanations about the tests that have been performed.
- For a greybox audit on platforms containing sensitive data: let’s say that a company wants to perform security testing on a business software that is only available for existing customers who have a user account (login/password). It is possible to run a “greybox” audit with testing accounts provided by the client. In that case, it is more than advisable to go with a cybersecurity company to avoid giving away the testing accounts to a large number of people.
- For an audit that includes social engineering testing: for obvious security reasons it is necessary to work with a cybersecurity company for performing social engineering attacks that include phishing and vishing among others.
- For proving to its customers that a security audit has been performed: the security audit report and/or a security audit certificate can then be shown to clients who ask for it (this is common practice especially among B2B clients when buying a software).
Bug bounties are complementary in the following cases:
- To enlarge the scope of security testing on a platform that is already well secured: as it gives an opportunity to have fresh views on security vulnerabilities, it might result in finding new flaws that had not been detected by your team.
- To run security testing on public websites that do not face major security threats: for instance websites with a high traffic, that provide online content but do not process any confidential data.
In both cases, bug bounties result in decriminalising the search of security flaws on a web platform without replacing pentests that should be conducted from time to time (from once a month to once a year depending on the company’s risk level).
So would you go for pentest or bug bounty? Choose according to your needs!