Q1. With more crowd-sourced/freelance security talent available, how should organizations balance the use of independent researchers vs. training in-house staff? What are some of the considerations they need to keep in mind when doing this?
We all know there is a global shortage of skilled cybersecurity people, so there is always the chance your trained person will leave for a better offer, made more employable thanks to the skills you have invested in giving them.
That aside, unless you are a very large organization, any in-house person must to some extent be a jack (or a jill) of all trades. With crowd-sourced/freelance talent you can get people with the right specific skill on a permanent part-time basis, perhaps to look after a system that is particularly critical, or on a short-term contract to work on a particular project.
For example, on the Bugcrowd Platform we classify our ethical hackers into five distinct roles—individuals can and do change roles over time—The Bugcrowd Platform’s CrowdMatch technology selects the hackers that best meet the customer’s needs of the project using hundreds of different parameters.
Crowdsourcing security expertise brings diversity of outlook, approach and experience. Crowdsourced security draws in hackers of different ages and backgrounds living all over the world. Together they are a formidable group that can provide far more creativity and more comprehensive testing to an organisation’s security needs.
There is no way an in-house team could be so finely tuned to the needs of a particular project.
Q2. In your role, how do you see Bugcrowd's community engagement evolving in the future, and what benefits will it likely bring to both Bugcrowd and the broader cybersecurity community?
When our founder, Casey Ellis, launched Bugcrowd in 2012 his vision was to leverage the creativity of individuals to meet the challenges organisations face in protecting themselves from cyber-attacks, and to fill the gaps in cybersecurity.
And we have been very successful in translating that vision into how we provide security services and expertise.
How that vision is realized in practice has evolved enormously in the past decade, but it is still what drives Bugcrowd today. I’m not going to reveal any specific initiatives in the pipeline, but clearly the security landscape is evolving rapidly: new threats emerge almost daily, creating new market opportunities for services and for the expertise to address them.
Our aim is to have a finely tuned market radar: to spot trends, their impacts and the demands they place on security expertise as early as possible and make sure we have access to the best expertise to tackle these, and the rights systems to find, engage with and deploy this expertise to meet our customers security challenges.
We can already see gaps in the market. We have the team, the platform, and the organisation, and, thanks to our recent US$ 102M equity injection, the financial resources to address these gaps and meet market needs.
Q3. What are some of Bugcrowd's objectives for participating at Black Hat Asia 2024? How does Bugcrowd plan on engaging with industry professionals, potential clients, and the broader cybersecurity community at the event?
Asia is an extremely important market for Bugcrowd, where we see huge potential for growth. Our prime objective for attending Black Hat Asia 2024 is to raise our profile across the Asia Pacific region, meet with existing clients in the region, engage with new prospects, plus continue to build and nurture relationships with our crowd-sourced security community.
We’ll be sponsoring the networking lounge at Black Hat Asia, it’s in the business hall and is a great place for attendees to network, enjoy food and beverages and conduct meetings in a relaxed setting.
Q1. Pentera has been expanding its presence in the Asia-Pacific and Japan region. What is your company's approach to localization and adaptation of your technology to meet the specific needs of customers in different countries in this market?
Every country has its own unique requirements and for that reason Pentera has invested a lot into building our local teams. We’ve more than doubled our team in APAC since last year, and our local presence is not merely a sales hub.
Pentera has built each global region to function as an independent entity, able to provide everything from personalized planning sessions to technical support. The bonus is that while our customers maintain that small company intimacy with our local team, they also benefit from the huge amount of expertise our global team has built across our 1000 enterprise customers. At this point there’s no use case or deployment that Pentera has not encountered, and our team is able to ensure a high level of performance regardless of your industry and what your IT environment looks like.
Q2. Automation and artificial intelligence are becoming integral in cybersecurity. How is Pentera leveraging these technologies to enhance the efficiency and accuracy of penetration testing?
Pentera harnesses automation to revolutionize security validation for organizations, enabling them to keep pace with the rapid transformations in today's IT ecosystems.
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment. Deployments change so frequently that something secured only a few days ago, may already be vulnerable today. On top of that adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats.
According to Pentera’s State of Pentesting survey, most organizations still rely on annual or biannual pentests as their primary security validation practice, but these are not sufficient for the scale and speed of our modern IT environments. You can’t validate that your security will work in the moment of truth if you only test once or twice a year. If you want to maintain a strong security posture, you need to test yourself continuously.
Pentera has introduced a new paradigm for security validation, providing security teams with a real understanding of their resilience to cyberattacks. Emulating real threat actors, Pentera provides security teams with the tools to continuously challenge their existing cybersecurity controls. Our platform pinpoints exploitable gaps within your IT environment, and generates an actionable roadmap to reduce real security exposure. With our on-demand testing, security teams don’t need to wait for a 3rd party pentester to validate. They can test any use case any time to ensure that their security will stand up to hackers.
Q3. How does Pentera plan on using its presence at Black Hat Asia 2024 to engage with customers and other organizations at the event? Are there any Pentera talks, events or networking activities that you are particularly excited about?
We’re always very excited to get the chance to interact with our security ecosystem, and learn from other’s experiences. I think that one of the talks that I am most looking forward to is Paul Gerste’s “Stealing With Style: Using CSS to Exploit ProtonMail & Friends.” At Pentera we are focused on security validation through attack emulation, and the vulnerability research that Paul is set to present sounds like it’s something that people should know about. Understanding the hacker's perspective empowers security teams to significantly upgrade their defenses.
This is also the topic that Pentera will be presenting at the conference. As our IT environments continue to grow in complexity, our attack surface grows in tandem. With so many potential weak points to address, security teams are overloaded and overworked. Already one of the most attacked regions, APAC witnessed a substantial 15% YoY increase in attacks according to Checkpoint’s research. With the average organization in APAC experiencing almost 2000 attacks per week, security teams cannot afford to be inefficient with their remediations if they are going to keep the hackers out.
Automated Security Validation and the threat actor mindset is crucial for identifying and addressing the most pressing vulnerabilities that could be exploited by attackers. By emulating real-world attack scenarios, teams can uncover which weaknesses threat actors can exploit within their systems. This understanding allows us to better prioritize remediation efforts based on true exposure, ensuring that the most critical security gaps are addressed before our adversaries have a chance to use them.
Q1. What emerging trends around runtime cloud workload threats and protections are you seeing intensifying demand for CNAPP?
The digital cloud infrastructure footprint of a typical enterprise spans across multiple clouds & architectures (traditional apps, modern microservices, managed cloud services, etc) and across multiple infrastructure layers (compute, network, storage, databases, etc) which requires protection and security beyond external vulnerabilities, including internal threats and dynamic perimeters.
This new operating model of security in the cloud requires collaboration from three groups that often operate in silos. (1) Devs , (2) Sec (Security Engineers), and (3) Ops (DevOps, Platform Teams, SREs etc) people.
Usually, it is a small security team that is tasked with overseeing the expansive surface area created by a development team that's often up to 100 times larger.
One major trend that we see is the importance of the cloud runtime environment context. It provides invaluable data, revealing behaviors of applications, real risks, and how threats unfold. This new trend called 'shift-right context', together with proactive ‘shift-left practices’ could make security measures fundamentally more informed, dynamic, and effective.
We see that “Shift-Right context” is more than a data source of workload protection (CWPP/CDR) for incident/response management; it's a lens to see through the noise, prioritizing and streamlining fixes where they're needed most.
By leveraging this runtime context proactively, customers can refine security strategies, ensuring they're not just reactive but truly anticipatory. This wouldn’t merely expand your security capabilities; it would transform them, helping you achieve the goal of comprehensive cloud infrastructure security.
Q2. How does your CNAPP platform strike a balance between automated remediation actions and the involvement of cybersecurity professionals? In what scenarios do you believe human intervention is essential, and how does your technology facilitate that collaboration?
Enterprises normally have a small security team that is tasked with overseeing the expansive surface area created by a development team that's often up to 100 times larger.
Security leaders are increasingly looking to leverage automation to address the challenges of limited headcount and vast attack surfaces. There are security findings that we clearly identify as suitable for automated remediation, while others require human intervention.
The distinction lies in two categories: threats and issues.
Security threats indicate potential security incidents, often involving internal or external attackers. Examples include attempts to encrypt files (ransomware), exfiltrate data, or run malicious software like crypto miners and viruses. Once identified, these threats demand immediate, automated responses, provided they are precise, targeted, and safe for the application. With proper preventive measures and controls, most security teams would agree on the necessity of such automated responses.
Security issues, however, represent different types of findings highlighting weaknesses in overall security hygiene. These include misconfigurations, software vulnerabilities, and overly permissive roles and identities. For these issues, it's crucial to identify, prioritize, and provide clear remediation plans for human execution since quite often, the root cause lies in cloud configuration templates (IaC) or "Shift-Left" Dev/DevOps practices.
Empowering security teams with the full context of the software lifecycle, from build time ("Left") to runtime ("Right"), provides them with unmatched capabilities to quickly identify, prioritize, and resolve issues at the source, preventing them from recurring.
We believe the future of cloud security lies in increased automation, a core focus of our platform. Upon detecting any threat or issue, our CNAPP automatically gathers both runtime and CI/CD context, providing root cause analysis, remediation steps, and runtime insights to help you understand the criticality and how to respond to each risk to your business.
Q3. What are Upwind's plans at Black Hat Asia 2024? What do you plan on highlighting at the event?
At Black Hat Asia 2024, we're excited to connect with security professionals and leaders from leading companies in Asia. We're eager to hear about their security challenges and explore how we can help them transform their cloud security practices.
We'll be highlighting the benefits of a Cloud Native Application Protection Platform (CNAPP) that spans across the entire software lifecycle, from build time ("Left") to runtime ("Right"). We'll showcase how combining "Shift-Right context" with proactive "Shift Left practices" can lead to more informed, dynamic, and effective security measures.
We believe "Shift-Right context" is more than just a data source for incident/response management. It's a powerful lens that helps prioritize and streamline fixes by cutting through the noise and focusing on the areas that need them most.
By proactively leveraging this runtime context, customers can refine their security strategies and move from reactive to truly anticipatory. This doesn't just expand your security capabilities; it transforms them, helping you achieve comprehensive cloud infrastructure security.
