CrowdSecWisdom #7

CrowdSecWisdom #7

OffSec insights for CISOs

Welcome to the seventh edition of CrowdSecWisdom from YesWeHack – curating offensive security insights from our own blog and elsewhere for CISOs, security teams and security-conscious devs. 🛡️💻

We start with big news with global implications on the regulatory front: the NIS 2 Directive has entered into force and the EU Cyber Resilience Act (CRA) has been adopted by the European Commission. 🇪🇺 With market access to the world’s largest trading bloc contingent on compliance and multimillion-euro fines the potential penalties for violations, CISOs from around the world will be paying attention. 🚨

Read our new guide to the security testing and vulnerability management dimensions of NIS 2, which introduces wide-ranging requirements for member states and ‘essential’ or ‘important’ services. We’re publishing a guide to the CRA, which applies to vendors of products with digital elements (PDEs), soon. 📱 These laws form key planks of the EU’s recent drive to upgrade its cybersecurity framework. The emerging framework, in common with cyber laws emerging elsewhere in the world, has many prescriptions and recommendations for undertaking activities we happen to be experts in: understanding and minimising your attack surface, proactively and continuously finding vulnerabilities, and adopting a risk-based approach to their remediation. 😉

Outsourcing on the rise for cyber skills

The ongoing global shortage of cybersecurity skills helps to explain how spending growth on security software and services is outstripping that of recruitment and staffing. 📈 That’s according to a story in CSO, which points out that Gartner expects security service spending to increase 15.8% next year, while IDC forecasts a global CAGR of 12.2% between 2023-2028 for managed security services. As CSO senior writer John Leyden writes, “CISOs are turning to managed security services to take advantage of seasoned practitioners that they would struggle to hire and retain internally.” 👨💻

With security teams growing more slowly than attack surfaces, we believe growing demand for Bug Bounty is partly fuelled by the same dynamics. Even if the skills shortage were magically addressed tomorrow, no organisation can realistically recruit the tens of thousands of ethical hackers that are available to them when they launch a Bug Bounty Program. Relatedly, Foundry’s 2024 Security Priorities Study found that 22% of new vulnerability assessment roles are outsourced. 🕵️

TeamViewer's Bug Bounty story

Bug Bounty beating pentesting in terms of both the breadth of skills available and the depth of their deployment, TeamViewer’s senior project manager for security, Michael Gillig, says in our latest customer success story. In this interview Michael marvels at the Bug Bounty discoveries missed by pentesting, lauds YesWeHack’s triage team and recounts how TeamViewer, whose remote access/control software is installed on more than 2.5 billion devices worldwide, has grown and finetuned its program since launch. 🛡️

We recently collaborated with another instantly recognisable brand, the makers of Ferrero Rocher and Kinder Surprise no less, in the successful delivery of Italy’s first-ever live hacking event. 🍫 Read what Ferrero, one of the world's largest sweet-packaged food companies, made of the event, and watch highlights from this live Bug Bounty below.

CISA extols virtues of VDPs

The US Cybersecurity and Infrastructure Security Agency (CISA) has released new figures about the performance of its Vulnerability Disclosure Policy (VDP) platform. “Since launching in 2021, the VDP Platform has triaged over 12,000 submissions (over 7,000 in 2023) on behalf of 51 onboarded agency programs, saving agencies a significant amount of time and resources,” the annual report disclosed. “Over 2,400 unique, valid vulnerability disclosures have been identified, of which nearly 2,000 have been remediated by agencies. Since launch, over 3,200 security researchers have participated.” VDPs, as we’re rather fond of reminding our readers, offer numerous benefits and are increasingly a compliance must-have not nice-to-have. 🛡️

Shoutout to CSO this month since we’re going to recommend a further two reads from the publication. First, there’s a warning to CISOs from Microsoft about the need to defend their organisations against the growing threat posed by generative AI in creating and distributing malware, phishing lures and deepfake videos. 🤖 And second, a look at the 5 cybersecurity issues at stake ahead of the US election 🗳️ including the impact on cyber-warfare with Russia, China, North Korea, and Iran; how regulatory requirements might be enforced; and, rather contentiously, the potential breakup of CISA. 😲

Unlock your brain; harden your system

We’ll wrap up with our usual summary of upcoming conferences and other events in which YesWeHack is participating. First up is ECSO’s Annual CISO Meetup (Vienna, Austria; 4-5 November) followed by the fantastically named ‘Unlock Your Brain, Harden Your System’ (Brest, France; 8-9 November) and Ekoparty (Buenos Aires, Argentina; 13-15 November). 📅

Our presence at Ekoparty is particularly notable. As well as showcasing our solutions on booth 10, we will deliver a Live Bug Bounty and therefore significant security benefits in a short space of time to an as-yet unnamed brand. 🚀 Learn about the benefits of live hacking events to the organisations providing the targets.

PS. Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

PPS. This isn’t the only way to keep track of YesWeHack content about industry trends, relevant legislative developments and live hacking events. You can also follow us on X/Twitter and LinkedIn.

To view or add a comment, sign in

Explore topics