We take security of our data and customers seriously and any security issue found is patched ASAP. We hired outside security testing companies to do our testing in case the developers missed something. Initially we hired a company lets call it YYYhat and they were great in first few months and found many standard issues like XSS, XSRF, session hijacking but after sometime no new issues were found. Then one day a customer reported an issue to us that was not detected by YYYhat so we hired another company, lets call it YYYsec and this company was good in finding some sql injection and some XSS in another parts of the system that were constantly missed by YYYhat company. But again the pipelined dried from YYYsec and we thought we were secure.
We even asked our engineers to start downloading penetration test tools and automate them to detect standard issues. But again they didnt found much.
Lately I am observing that these specialized security testing companies are a one skill or some skill shop but not jack of all trades. They are good at finding some set of security issues but completely miss other kind of issues. This was observed with XXXhat and XXXsec and our own engineers.
This week we hired another company lets call it crowdYYY. I have high hopes for crowdYYY because you just spawn a testbed for them and raise a reward, bounty hunters or aka penetration engineers will come and penetrate your system and submit vulnerabilities, If you think this is really a good vulnerability then you can reward them anywhere from $50 to $100 or even $1000. I liked the idea behind crowdYYY because its crowdsourced security testing and different security engineers would be good at different penetration testing skills and in turn we would get more variety of testing. This will make our site more secure.
We even asked our engineers to start downloading penetration test tools and automate them to detect standard issues. But again they didnt found much.
Lately I am observing that these specialized security testing companies are a one skill or some skill shop but not jack of all trades. They are good at finding some set of security issues but completely miss other kind of issues. This was observed with XXXhat and XXXsec and our own engineers.
This week we hired another company lets call it crowdYYY. I have high hopes for crowdYYY because you just spawn a testbed for them and raise a reward, bounty hunters or aka penetration engineers will come and penetrate your system and submit vulnerabilities, If you think this is really a good vulnerability then you can reward them anywhere from $50 to $100 or even $1000. I liked the idea behind crowdYYY because its crowdsourced security testing and different security engineers would be good at different penetration testing skills and in turn we would get more variety of testing. This will make our site more secure.
Comments
Post a Comment