{"id":1938,"date":"2019-05-16T07:28:22","date_gmt":"2019-05-16T05:28:22","guid":{"rendered":"https:\/\/www.swisscyberstorm.com\/?p=1938"},"modified":"2019-05-16T07:47:12","modified_gmt":"2019-05-16T05:47:12","slug":"embracing-the-hackers","status":"publish","type":"post","link":"https:\/\/www.swisscyberstorm.com\/2019\/05\/16\/embracing-the-hackers\/","title":{"rendered":"Embracing the Hackers"},"content":{"rendered":"

Engaging in Penetration Testers to gauge the security of existing online services has become a standard practice in our industry in Switzerland. Established services and new offerings are tested alike in order to uncover hidden bugs or to raise awareness of security problems that often go unnoticed with management or developers.<\/p>\n

But of course, there is more to security than only a pen-testing contract from time to time. It has to be part of a comprehensive application security program together with other elements. Yet some of the standard elements of successful security programs are missing across the board in the Swiss context: It’s Bug Bounties and related initiatives that very few companies are using as tools in their security programs.<\/p>\n

I think it is typically Swiss to take penetration testers under contract and have them attack dedicated systems after a detailed scoping workshop. Yet people lack the trust and self-confidence it takes to open up and to allow anonymous security researchers to attack productive services to complement the picture.<\/p>\n

That self-confidence is rare around here. That’s why bug bounties are rare in Switzerland and this leads to several problems:<\/p>\n