Bugcrowd launches Attack Surface Management platform

The new platform provides an extra layer of testing by sending its findings to Bugcrowd's crowdsourced security testing tools.

Crowdsourced security platform vendor Bugcrowd today rolled out Attack Surface Management, an asset discovery and prioritization tool aimed at reducing enterprises' security risks from legacy and shadow IT resources by identifying and securing unknown assets.

Bugcrowd Attack Surface Management emphasized cutting down attacks on enterprises' shadow IT resources, referring to hardware or software used by employees that is not authorized or approved by the IT department, according to the company.

Gartner has estimated that by 2020, one-third of successful attacks on enterprises would be on data located within shadow IT. According to a blog post by Laurence Goasduff of Gartner, enterprises can reduce risks by carrying out regular security assessments to gain better visibility of their assets.

Bugcrowd's new asset discovery and prioritization tool can assess organizations' security postures and identify unknown or unprioritized assets to prioritize them based on the level of risk, according to Bugcrowd. To test these findings one more time, the tool migrates them to Bugcrowd's crowdsourced security testing programs. Finally, the platform provides organizations reports of the risks, method for attribution and recommendations for securing identified assets.

"Customers looking for IT asset discovery tools typically focus on whether the tool is able to find as much of the hardware and software deployed within their environment as possible," said Roger Williams, an analyst at Gartner. However, organizations should also make sure that the product can identify the specific types of feature they need for each item, he added.

Williams said the main challenges related to IT asset discovery that customers face today include increased demand for data; new technologies that require different techniques than traditional PC and data center systems; a fast pace of change, making maintaining IT assets inventory difficult; and increased needs to limit access and functionality affecting IT asset discovery performance. "While many vendors have made strides in these directions, there is no product in the marketplace that can meet all of these challenges for all customers," he said.

Bugcrowd Attack Surface Management features include:

  • Hacker selection: Selects appropriate security researchers from a global network of vetted white hat hackers
  • Mapping and attribution: Identifies assets that belong to your organization
  • Risk-based prioritization: Determines level of risks with data from Bugcrowd managed programs
  • Reporting: Reports ranked risks, attribution method and proposals for next steps

Attack Surface Management is available at a set price, with rewards for researchers already included. This one-time pricing differs from the pricing model of other Bugcrowd products, which often entails a separate bounty pool, according to Bugcrowd CTO Casey Ellis.

Competitors of Bugcrowd include Applause and Synack. Applause's security testing offers risk evaluation by white hat hackers, bug reports, risk assessment and a remediation plan; findings by the platform are stored and transferred through encrypted channels, according to the company. Synack's platform uses crowdsourcing and an AI scanner to detect vulnerabilities and complete organizations' security checklists.

Dig Deeper on Risk management