BrightNight recap - Things that go bump on the web

On occasion we all run into bugs on websites and web applications. Usually, those bugs are functional. But from time to time, you might inadvertently encounter a security vulnerability. Let’s take the example of the olden days of the internet, when most web shops weren’t as mature as today. You could get away with little tricks like updating a text field with the quantity of a product in your shopping basket with a negative quantity to get the product for free. After all, who doesn’t like free stuff?

We are all hackers

This was the first example in an interesting session by Stijn Jans, CEO and founder of Intigriti. He went on to demonstrate that we are all hackers in one way or another. If you define hacking as using something in a different and creative way to achieve a goal that was not its intended purpose, you could say we all use life hacks. This could go from manipulating a web application like the example above, to real-life scenarios like stretching an elastic band across an open paint can so you can wipe off excess paint on the band, keeping the can clean for easy resealing. Not the intended purpose of elastic bands, that’s for sure.

Penetration testing vs. crowd hacking

Stijn went on to explain the difference between penetration testing and crowd hacking. Intigriti provides a platform for companies to start a bug bounty program, where they allow ethical hackers from all over the world to test their web applications, in return for a bounty if a security issue is found. This is different compared to a one-off penetration test because bug bounties are continuous. Among other things, this ensures that the application under test is always the latest production version. Whereas a conventional penetration test is a snapshot at a single point in time. If new features are added immediately after the test, you should, in theory, redo the test. However, both types of testing should go hand in hand; before entering a bug bounty program as a company, it is advisable to have a penetration test first. Both with automated scanning and manual testing, to catch easily detectable vulnerabilities that you wouldn’t like in production. If you skip this step and go straight to a bug bounty platform, it is highly likely you will burn through your bug bounty budget in no time. Money you might as well have spent on a penetration test by a professional.

Automated scanning vs. manual testing

This leads us to a final, interesting distinction: automated scanning versus manual testing. You might say, we’ll just run an automated scan and we’re fine. But scans usually barely scratch the surface. They’re good for catching low-hanging fruit but finding more exotic vulnerabilities or chains of vulnerabilities requires some creativity from a human being. Artificial intelligence might start playing a role in this, but this requires substantial amounts of data, which a single cybersecurity professional or bug bounty hunter usually doesn’t have access to. Companies like Intigriti do have large sets of data of course, so it is likely only a matter of time before AI starts becoming more prominent in the cybersecurity world. But for now, manual testing remains indispensable in securing your applications, whether in a penetration test or a bug bounty program.

So happy hacking to you!