Crowdsourced bug bounties are common, but startup Cobalt Labs is now crowdsourcing penetration testing as well.
Cobalt Labs is aiming to grow its crowdsourced approach to security testing with a new round of seed funding, announced Aug. 17.
The $1.5 million seed round was led by eLab Ventures and included the participation of Tim Draper with Draper Associates.Cobalt Labs has raised a total of $2.5 million since its launch in 2013, initially as a crowdsourced bug bounty program platform.
Although crowdsourced bug bounty programs are still part of the Cobalt Labs platform, the overall idea has now evolved to become a crowdsourced security service, including penetration testing.”Cobalt Labs is in the space of crowdsourced application security,”Jacob Hansen, co-founder and CEO of Cobalt Labs, told eWEEK.The basic idea behind the crowdsourced model is that skilled professionals join the Cobalt Labs platform and participate in various security engagements.
As such, Cobalt Labs doesn’t directly employ the security talent but helps make it available to organizations. Hansen noted that while the company first started out exclusively in the bug bounty space, 75 percent of the company’s revenues currently come from crowdsourced penetration testing.
The idea of running a bug bounty program is not uncommon, and there are multiple companies in the space, including HackerOne and Bugcrowd. Running crowdsourced penetration testing is somewhat of a more novel approach that Cobalt Labs came to after multiple customer engagements for bug bounty programs. With a bug bounty, a company offers a reward (the bounty) to a researcher for finding a vulnerability.
In contrast, with a penetration test, researchers actively probe an organization and its applications, and look for security vulnerabilities, misconfigurations and weaknesses.
Many small and midsize businesses don’t have the security staff to run their own penetration testing exercises, Hansen said. Many of these same businesses find it to be somewhat price-prohibitive to engage with a more traditional security vendor, often with a full-time staff, that provides penetration testing services.”So we saw an opportunity in the market, and we started to scope out our product,” Hansen said.With the Cobalt Labs crowdsourced penetration test approach, for example, three researchers can be tasked for two weeks to engage with a client. One of the researchers will be the lead and will have multiple security certifications.
The other two will be specific domain experts, depending on the engagement.
So, for example, if Cobalt Labs is engaged in a penetration testing exercise for a mobile iOS application, iOS security experts will be brought in.”We have thousands of researchers signed up on our platform,” Hansen said.The researchers will spend time doing what is known as “black box” testing, which analyzes the functionality of a given target without having access to source code. Hansen said that Cobalt Labs does not mandate that its crowdsourced researchers use specific tools as part of any given penetration test.
The research lead will provide a report on the findings, which is made available on Cobalt Labs’ platform.
The Cobalt Labs platform then enables the client to collaborate with the researcher on identified issues and how to fix them.From a competitive positioning perspective, Cobalt Labs aims to be at least 20 to 50 percent cheaper than other options for penetration testing, Hansen said.”We have access to global talent, and we have a platform that manages the whole engagement and can be integrated into IT issue management systems,” Hansen said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.