Skip to main content

Bug Bounty vs. Security Scanner

 

A lot of folks don't know the difference between a bug bounty program and automated security scans. Here is a cheat sheet to quickly learn the major differences.



Security Scanner

Bug Bounty Program


Synonyms


Web application scanner

Security scanner

DAST



Penetration Testing

Pen Testing

Ethical Hacking

Security Testing

Bug Bounty Programs



Definition


DAST stands for Dynamic Application Security Testing. 


Is the process of testing web, mobile,

and API applications to find vulnerabilities

and security bugs through automated tools




Is the process of finding security bugs through human intelligence.


A security tester might use and modify automated tools to find hard-to-find vulnerabilities.


Code Access


No code access is required.

Most of the tools are language and technology agnostic



No code access is required. Internal technology stack knowledge helps create tailored tests


Live Traffic Access


No access to live traffic is required



No access to live traffic is required


Supported Technologies


Different tools are required for Web, Mobile, REST API, GraphQL testing



Uses all kinds of techniques including, manual web/mobile UI fuzzing, Burp tests for web/APIs, shell scripts, etc.



Common Vulnerabilities Found


SQLi, XSS, Server Configuration, etc.



Zero-day, logic flaws, unauthorized data access, account takeovers, access to PII/financial data, etc.



Pros


Automation means it can run continuously against the dev environment



Finds hard-to-find vulnerabilities


Cons


Limited coverage and finds less-frequently found issues



Done less frequently, most companies perform penetration testing once every 3/6/12 months.



Cost


Low-cost



High-cost


Developer Friendly


Finding are spread across production configuration and code.

Not all findings require developers to fix them.

E.g. server configurations, SSL, etc, require

the DevOps or the production support team to fix it.


The developers hate or don’t get a lot of the suggestions.

Working with developers is a major pain point.



Most findings require developers to fix the issues. 


Most findings are code-related and are regular bugs


Developers get most of the issues and happily add them to their bug list.


Popular Tools


Free API Scanner

https://apisec-inc.github.io/pentest/



Qualys Web app Scanner

https://www.qualys.com/apps/web-app-scanning/



Mobile App Scanner

https://www.ostorlab.co/




Bug Bounty Program

https://www.hackerone.com/


Web app testing

https://portswigger.net/burp/communitydownload



 


Comments

Post a Comment

Popular posts from this blog

JPA 2 new feature @ElementCollection explained

@ElementCollection is new annotation introduced in JPA 2.0, This will help us get rid of One-Many and Many-One shitty syntax. Example 1: Stores list of Strings in an Entity @Entity public class Users implements Serializable {     private static final long serialVersionUID = 1L;     @Id     @GeneratedValue(strategy = GenerationType.AUTO)     private Long id;     @ElementCollection     private List<String> certifications = new ArrayList <String> ();     public Long getId() {         return id;     }     public void setId(Long id) {         this.id = id;     }     public List <String> getCertifications() {         return certifications;     }     pub...
21 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more

Reuse JPA Entities as DTO

Note : Major design advantages of JPA Entities are they can detached and used across tiers and networks and later can by merged. Checkout this new way of querying entities in JPA 2.0 String ql = " SELECT new prepclass2.Employee (e.firstname, e.lastname) FROM Employee e "; List<Employee> dtos = em.createQuery(ql).getResultList(); The above query loads all Employee entities but with subset of data i.e. firstname, lastname. Employee entity looks like this. @Entity @Table(name="emp") public class Employee implements Serializable {     private static final long serialVersionUID = 1L;     @Id     @GeneratedValue(strategy = GenerationType.AUTO)     private Long id;     @Column     private String firstname;     @Column     private String lastname;     @Column     private String username;     @Column ...
11 comments
Read more