Security teams should note two fresh milestones in the EU’s regulatory framework, begins our latest CrowdSecWisdom roundup of OffSec insights (originally published as a LinkedIn newsletter). 🇪🇺
The last month has seen the NIS 2 Directive entering into force and the EU Cyber Resilience Act (CRA) being adopted by the European Commission. With market access to the world’s largest trading bloc contingent on compliance and multimillion-euro fines the potential penalties for violations, CISOs from around the world will certainly be paying attention. 🚨
In light of this, we have published a new guide to the security testing and vulnerability management dimensions of NIS 2, which introduces wide-ranging requirements for member states and ‘essential’ or ‘important’ services. We’re publishing a guide to the CRA, which applies to vendors of products with digital elements (PDEs), soon. 📱 These laws form key planks of the EU’s recent drive to upgrade its cybersecurity framework. The emerging framework, in common with cyber laws emerging elsewhere in the world, has many prescriptions and recommendations for undertaking activities we happen to be experts in: understanding and minimising your attack surface, proactively and continuously finding vulnerabilities, and adopting a risk-based approach to their remediation. 😉
Outsourcing on the rise for cyber skills
A story published in CSO suggests the ongoing global shortage of cybersecurity skills helps to explain how spending growth on security software and services is outstripping that of recruitment and staffing. 📈 The article points out that Gartner expects security service spending to increase 15.8% next year, while IDC forecasts a global CAGR of 12.2% between 2023-2028 for managed security services. As CSO senior writer John Leyden writes, “CISOs are turning to managed security services to take advantage of seasoned practitioners that they would struggle to hire and retain internally.”👨🏼💻
With security teams growing more slowly than attack surfaces, we believe growing demand for crowdsourced security testing is partly fuelled by the same dynamics. And even if the skills shortage were magically addressed tomorrow, no organisation will ever have the kind of internal OffSec resources they can access when they launch a Bug Bounty Program – namely the diverse skills of tens of thousands of ethical hackers. Relatedly, Foundry’s 2024 Security Priorities Study found that 22% of new vulnerability assessment roles are outsourced. 🕵️
CISA extols virtues of VDPs
The US Cybersecurity and Infrastructure Security Agency (CISA) has released new figures about the performance of its Vulnerability Disclosure Policy (VDP) platform. “Since launching in 2021, the VDP Platform has triaged over 12,000 submissions (over 7,000 in 2023) on behalf of 51 onboarded agency programs, saving agencies a significant amount of time and resources,” the annual report disclosed. “Over 2,400 unique, valid vulnerability disclosures have been identified, of which nearly 2,000 have been remediated by agencies. Since launch, over 3,200 security researchers have participated.” VDPs, as we’re rather fond of reminding our readers, offer numerous benefits and are increasingly a compliance must-have not just nice-to-have. 🛡️
Now that Donald J Trump is confirmed as the president elect for a second time, there’s a lot of uncertainty about his agenda for funding CISA and policies related to cybersecurity. Writing in Nextgov/FCW, cyber reporter David DiMolfetta gives a decent summary of the fears (notably about budget cuts) and more positive takes (for instance, cyber has recently been one of vanishingly few bipartisan issues) expressed by current and former government officials. 🤔
There’s a warning to CISOs from Microsoft, also published in CSO, about the need to defend their organisations against the growing threat posed by generative AI in creating and distributing malware, phishing lures and deepfake videos. 🤖
TeamViewer's Bug Bounty story
Back to our own output, and Bug Bounty beating pentesting in terms of both the breadth of skills available and the depth of their deployment, as per the views of TeamViewer’s senior project manager for security, Michael Gillig, expressed in our latest customer success story. In this interview Michael marvels at the Bug Bounty discoveries missed by pentesting, lauds YesWeHack’s triage team and recounts how TeamViewer, whose remote access/control software is installed on more than 2.5 billion devices worldwide, has grown and fine-tuned its program since launch. 🛡️
We recently collaborated with another instantly recognisable brand, the makers of Ferrero Rocher and Kinder Surprise no less, in the successful delivery of Italy’s first-ever live hacking event. Read what Ferrero, one of the world's largest sweet-packaged food companies, made of the event, and watch highlights from this live Bug Bounty below. 🍫
Unlock your brain; harden your system
Our next live Bug Bounty is imminent, taking place in Buenos Aires, Argentina at Ekoparty this week. The two-day competition, running between 14-15 November, will help an as-yet-unnamed brand (unmasked when the event kicks off) significantly harden their digital assets thanks to the dozens of vulnerabilities routinely reported during these events. Our team will discuss our platform on booth 10 throughout the three-day Ekoparty event. Learn about the benefits of live hacking events to the organisations providing the targets. 🚀
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.