Traditional penetration testing firms have gotten pushed out of what was once a profitable niche market by the movement of crowdsourced security to the forefront. Now the question is, how does crowdsourced penetration testing stack up against traditional penetration testing? Furthermore, how does the process differ?
This article will show you a side-by-side comparison of the two, relative to five key factors.
1. Costs: Paying per Test vs. Paying per Vulnerability Found
Pen testing has beaten crowdsourced security for the time being because of its low cost. Because you pay by the day, and a typical website takes four to five days to scan, you know precisely how much you will spend upfront, regardless of how many flaws and inconsistencies get discovered. Contrarily, the cost of a crowdsourced pen test can fluctuate, and because you must pay both a platform fee and a price per vulnerability realized, it can quickly add up. To avoid painful surprises, you can turn to WhiteJar: no platform fees, costs calculated upfront.
2. Vulnerabilities: Are All Vulnerabilities Found Actually Exploitable?
The pen-tester syndrome, which refers to making things appear worse than they are, is prevalent in traditional pen-testing. However, only exploitable flaws with actionable proof of concept will get revealed in a crowdsourced pen test. This test is extremely helpful in keeping firms from chasing phantom risk and directing their corrective efforts where they are most needed.
3. Assets: Can Internal Assets Be Tested Effectively?
In a traditional pen-testing setting, a pen tester physically comes to your office and plugs in their laptop if you prefer someone to test from "within" your network. Contrarily, it can get complicated in a crowdsourced environment. Some engagements necessitate VPN or proxy configurations. You normally work in a test environment rather than a live one with real users, raising the cost for businesses, especially when it gets done for dozens of testers rather than just one.
4. Frequency: Constant Testing vs. Scheduled Testing
Penetration testing nowadays has several drawbacks, one of which is that it does not keep up with the development speed of new applications.
Crowdsourced pen testing is often open-ended, which corresponds to how today's apps are developed and, more crucially, how attackers act. A traditional pen tester does not have the flexibility of spending three to four months studying one of your assets at their leisure. On the other hand, crowd-sourced pen testers do, and it reflects as they uncover potentially serious issues from live sites they've been pen testing for years.
5. Compensation: Does Tester Compensation Coincide with Effectiveness?
Although rarely explored, there is a significant distinction between crowdsourced and traditional pen tests regarding how people get compensated.
In a traditional pen test, the work gets done by a salaried professional who gets properly compensated and reimbursed whether or not they find vulnerabilities. In the case of crowdsourced pen testers, it depends on many aspects, for example the policy of the platform they work for. WhiteJar is powered by AppQuality's community (the Crowd), which means testers get paid when they complete a test campaign (or find a vulnerability, in this case). Besides that, they can also earn more than agreed if they find critical issues or the highest number of vulnerabilities among all the testers involved in the campaign.
Both crowdsourced and traditional pen testing has advantages and disadvantages. Thus, the question of which is better ultimately lies in the constraints within your budget and environment.
If you want to know more, visit WhiteJar.io.