Security Testing has been emerging as an important niche in the software development lifecycle. Evaluating and testing mobile applications for bugs and vulnerabilities is getting critical, as the applications are expanding and addressing some greater needs of the consumers. Crowdsourced Security Testing is being considered as a popular approach for testing the vulnerabilities of a software/application. An evident reason is, it provides a wider base of individuals/testers who can search for vulnerabilities in a much more cost-effective way. Nevertheless, the industry still sees some challenges in this approach in terms of Performance, availability, and security protocols with the customers.
While Crowd Testing companies continue to streamline and structure the effort, challenges in terms of addressing the core needs of Security Testing cannot be evaded. Crowd Testing approach for Security Testing has been popularly referred to as the Bug Bounty program, where they call upon individuals to exploit the website for any bugs or vulnerabilities. In this way, they offer recognition and compensation for identifying and reporting the flaws in an application. These programs are floated by open platforms with an open challenge to testers.
However, it is perceived by some organizations that the bug bounty approach doesn’t follow a pattern and structure, and could result in ambiguous inferences. Also, if companies need serious and meticulously reported feedback, an approach on these lines is not considered effective. The question sustains, is this approach good enough for finding all the bugs within an application?
Crowd Testing OWASP (Open Web Application Security Project) lists down the top 10 Application Security risks for 2017. With no access to the application, we tried to understand the complications that a Crowd Testers will have to identify bugs or build test cases.
Security Testing challenges
With no access to the application’s code, a tester faces multiple challenges while testing and exposing the vulnerabilities. We have listed some of them, which crowd testers try to find externally as a third party.
- The tester needs to identify the Injection flaws with the web application and track the untrusted data coming in.
- There is a need to check the Authentication process and also check for any session management flaws, which might create an issue with the passwords or lead to any authentication flaws.
- In case there is a cross site scripting issue where unauthorized data pops up on the website.
- Check for Broken Access control, where the data of the users could be at risk from the hackers.
- In case there is a gap in the configuration of security controls it can lead to a breach, so, default settings cannot be the only way of accessing the site. For instance, a banking application has multiple layers of security codes.
- It is important to detect any inefficiency to safeguard the application against attacks. This normally happens in the case of APIs, where if the attacker finds a weak link, sensitive data gets exposed.
- If an application or API is using some known vulnerable components related to the framework or libraries, an attacker can use it for serious data breach/data loss.
What is the way out?
Considering the concept of leveraging the Crowd for Security Testing is gaining serious momentum, there are mechanisms that can reduce the challenges. We have tried to pool in together some methodologies to aid the Crowd Testing process.
- Access to a private platform
By offering a private Cloud or a private access to the testers, both the parties can keep the application secure. At the same time, all the activities are undertaken with a full packet capture gateway and analytics platform. This enables regular monitoring of the process with coverage maps, vulnerability reports, and update can be taken in real-time.
- Skilled and verifies testers
Unlike the Bug Bounty approach, skilled and verified testers can be recruited and offered the testing platform. Crowd Testing companies select testers from the entire pool after checking for relevant skill sets and also verifying their identities with proper documentation. This can be done for highly confidential security testing projects.
- Results that can be tracked
There are processes and dashboards through which every action can be tracked and bugs can be reported. The process can go as per the testing objectives set for the application. This will keep all parties in the same loop.
Security is a growing concern and data loss/breach is a bigger scare for enterprises today. However, it is a rigorous process. Enterprises, even the bigger ones tend to take a pragmatic approach to security testing for their enterprise level applications. Crowd Testing works well with firms that have smaller testing teams and need external expertise. So, they tend to leverage it and let their internal staff focus on other aspects of the application. For instance, many companies such as Pinterest and United Airlines leverage the expertise of external folks and let their internal testers deal with other issues. This helps to save time, and bring in added expertise.