In this blog post Claus Cramon Houmann uses the popular video game, Tetris, to illustrate the advantages of crowdsourced pen testing. Claus has many years of experience consulting in the technology security space. He is currently working for Peerlyst as a community manager.
Penetration testing is not easy
Anyone who tells you hacking is easy is misguided. There is a wide array of knowledge one must acquire to even get started — coding languages, attack vectors, testing methods, frameworks that you need to have hands-on experience with, and last but not least learning how to gain access to code given obfuscation and encryption. The above list of knowledge only brushes the surface of the challenges of mastering pen testing. Very little of hacking is point-and-click.
Each skill acquired is hard won. Many hackers or security researchers have a basic understanding of testing all vulnerabilities, but choose one area as their “specialty.” For example, testing XSS vulnerabilities can be an area of expertise that a hacker chooses to master.
Mastering the art of hacking is a difficult task. If you still don’t believe me, I know an individual who is trying to move from being a sysadmin to penetration testing — and I respect his passion and dedication. He is sharing his struggles of becoming a pen tester through blogging.
Using a Tetris analogy for XSS
Let’s break it down — say that XSS is the light blue Tetris block. {And make note, there ARE times when all you need is a light blue block in Tetris}
Tetris: It’s time to play
You could potentially play a whole game successfully if you only had light blue blocks. Just like you could play a game successfully with solely dark blue blocks — but that’s just not how a company’s attack surface works.
Your company’s attack surface is made up of a variety of colors and shapes — and is much wider than the 10 block row that makes up Tetris. Not only that, but your pieces are constantly changing color and shape with every little change made to your IT environment. For example, making a small change to your software code can result in new vulnerabilities you have little knowledge about.
Testing your company’s attack surface requires playing some real-life Tetris. You need to look at the blocks you have and be able to utilize the relevant shapes and colors. If you hire any average pen testing company to play your game of Tetris you might get some experts in red blocks, green blocks, and light blue blocks — but they may have very limited skills in orange blocks. Maybe your company’s Tetris game has a lot of orange blocks. Then the red, green, and light blue block experts are not really going to assist your company in the best possible way — and it’s “game over” for you.
The true value of crowdsourced pen testing
This is the true value of crowdsourced pen testing. When you crowdsource security researchers you are able to gain access to experts who fit your company’s specific needs. If your Tetris game is comprised of mostly orange, light blue, and green blocks then you should have experts in those areas. Of course they will be knowledgeable in all areas, but hold expertise in security aspects that are most relevant to your business. These researchers will be able to come in and turn incoming blocks to help remove those pesky rows that make your attack surface unmanageable if the vulnerabilities keep stacking up everywhere. In my opinion, crowdsourced pen testing gives a business the most optimal people to ensure that the bottom rows keep being consistently removed and rewarding your company with points. Removing a row in Tetris translates directly to a risk mitigated which translate to a measurable and reportable business benefit — and metrics make CISOs and executives happy.
Interested in seeing how a crowdsourced pen test can help your business? Schedule a demo with Cobalt today!
—
Check out other posts by Cobalt If you want to learn more about Pentest as a Service (PtaaS) or learn more about our customer's experience saving time and money using the Cobalt Pentest as a Service (PtaaS) platform.