Vendors of digital products should of course prioritise security testing and vulnerability management for the sake of their users and their own reputation.
Now they have 36 months to do so to the standards set by the EU Cyber Resilience Act (CRA) if they want to sell their software or hardware inside the world’s largest trading bloc. 🇪🇺
The CRA has just been published in the EU’s Official Journal, kickstarting a three-year countdown to full compliance. Covering everything from laptops to smart TVs, the law was introduced primarily to address “widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”. 📱 Following our vulnerability testing/management explainer for NIS 2 after it came into force last month, we’ve now summarised the new vulnerability-focused CRA rules, which advocate Bug Bounty Programs.🐞
Bug Bounty growth forecasts
Next on our latest CrowdSecWisdom roundup of OffSec insights (originally published as a LinkedIn newsletter), the global Bug Bounty market is forecast to grow at a compound annual growth rate (CAGR) of nearly 16% between now and 2032 – up from $1.52 billion to $4.95 billion. 📈 Business Research Insights attributes its prediction to “growth and demand returning to pre-pandemic levels”, as well as organisations needing to “regularly test their IT infrastructure” given “constantly evolving” tech stacks and the fact “a hacker could potentially destroy a company's reputation in a matter of minutes”. It also notes that, while Bug Bounty has traditionally been dominated by the software development industry, recent growth has also been fuelled by increasing adoption by governments and large corporations.
“Many advantages, including inexpensive pricing based on output, software testing in real-time, scalability, and device and geographic coverage, can be obtained through crowdsource testing,” writes Business Research Insights in a separate but related report that notes how crowdsourced security testing is growing particularly fast in the overall software testing market. 🧐
Coincidentally, Research and Markets has released its own forecast for the global security testing market, anticipating 24.7% CAGR until 2029 in part due to AI development that will “make anomaly detection and vulnerability prediction more reliable”. 🤖 Application security testing is the fastest growing segment of tech, says the report, while “the healthcare vertical holds the largest market share in the security testing market due to its critical need for stringent security measures”. 🏥
‘Clean up after yourselves’
Intriguing one for red teamers now: The Stack has distilled details of a CISA red team engagement where they compromised a critical national infrastructure entity through a web shell “left from a third party’s previous security assessment”. 😬 CISA (the US Cybersecurity and Infrastructure Security Agency) wrote that leadership of the entity “deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.” About the previous engagement's oversight, the head of research and discovery at Google threat intelligence posted on X: “I've seen too many red team screw ups like this [...] Stay humble and clean up after yourselves.” An infosec consultant also posted: “CISA red teaming exercise reports have been stellar in the past, but this newly released one is a really great read.” 📚
VDPs mandated for US federal contractors
A bill that would require US federal contractors to implement NIST-compliant vulnerability disclosure policies (VDPs) has moved a step closer to becoming law after clearing a key Senate panel, Cyber Scoop reports. Civilian federal agencies are already required by law to have VDPs, and the same will soon apply to federal contractors it seems given bipartisan support for the Federal Contractor Cybersecurity Vulnerability Reduction Act. 🏛️
We conclude our roundup of useful OffSec content beyond our own output with these three interesting articles:
- Open source security myths debunked – interview with Canonical CISO Stephanie Domas on Help Net Security
- Best Linux distros for privacy and security of 2024 – by TechRadar Pro
- The CISO paradox: With great responsibility comes little or no power – by TEN18 CISO Tyler Farrar on CSO
Triage chief on keeping hunters and customers happy
“Giving Bug Bounty customers clear, relevant and actionable vulnerability reports gives them confidence in the process,” says Adrien Jeanneau, who heads up YesWeHack’s in-house triage team. Speaking in an interview published on our blog, Adrien reflects on how the triage team strives to facilitate a “virtuous circle” 🔄 by keeping both customers and bug hunters happy, as well as discussing the role of automation, prioritising vulnerability reports by severity and impact, and beating YesWeHack’s first-response SLA by a wide margin. 🔥
Mapping your attack surface
How does an organisation identify – let alone secure – its proliferating internet-facing assets amid tight budgets and increasing cyber-attacks? 🤔 In the first of a new series of articles about attack surface management, we explain the process of mapping your attack surface and make the case for implementing Continuous Threat Exposure Management (CTEM) to achieve a unified, comprehensive and real-time overview of your exposed vectors. 🚀
“We’ve had around 20 really serious reports that we would never get from a traditional pentest,” said the subject of our latest customer story writeup. 🔥 Transcribed from a video interview we’ve posted previously, this interview sees Erik Täfvander, head of cybersecurity at Swedish betting company ATG, reflects on the intrinsic benefits of Bug Bounty, recalls how ATG fine-tuned its approach to crowdsourced security testing, and offers his peers in other organisations some OffSec advice. 💎
Meet us at Black Hat Europe
As the year draws to our close, our 2024 events calendar concludes this week with Black Hat Europe (11-12 December, London). 🇬🇧 Finally, we’re also proud sponsors of the Bug Bounty Village at the upcoming Hackers2Hackers Conference (H2HC) in Brazil (14-15 December, São Paulo). 🇧🇷
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.