Shock horror... Humans used for security validation instead of AI/M-L!

As a judge on the Tech Trailblazers awards, I can assure you of two security-related actuality wotsits:

  1. The onslaught of security start-ups is anything but slowing down; this year has seen a record number of entries (and then some).
  2. The same old marketing bollox is being churned out ever more relentlessly, as vendors desperately try to differentiate themselves, regardless of what the product or service actually is or does (sometimes after re-reading for the umpteenth time it’s still not clear what is on offer).

So, it is fair to say I’ve had my fill of “unique approach”, “the only product in the world that…”, “AI is at the heart of…”, “based around machine-learning”, “integrates every aspect of”, “according to Gartner”, “automation is the only way” (even though it is for certain security scenarios – see previous blog entry 😊) and other tarnished golden oldies that continually cropped up in each and every entry. And I mean EACH AND EVERY ENTRY…

It was with some relief, then, that I caught up with a company that is completely BS free, and bases its approach to security on a resource called “people”. These aren’t cyber bots with “personalities” or even those very clever Japanese ‘humanesque’ robots that I have mates who seemed alarmingly attached to, but actual humans – brains, bodies, that kind of thing. The company is Bugcrowd, if you haven’t heard of them, and the focus is firstly on penetration (pen) testing and, on a general basis, 24×7 attack surface management and vulnerability analysis. As it notes on the website, attackers don’t take a day off, so why should you? “Ethical” hackers have been widely used in identifying security issues since Alan Solomon attempted to discover one of his first computer viruses (I was in his house at the time – it involved a 5.25″ floppy disk), so the idea of bringing a crowd of humans together with all the skillsets from both side of the security divide is simple common sense: here I must refer back to my suggestion at a Netevents back in 2014, that CSaaS (Common Sense as a Service) was surely the best security platform to deploy, and nothing has changed my mind since.

Chatting and meeting up with Bugcrowd EMEAs James Clegg (top guy, even if he is from the wrong side of the Pennines – as in Saddleworth – and, no, I didn’t ask if he was related to Myra Hindley) merely reinforced the idea that, for all the bot-based attacks, security threats stem from actual people, not AI working independently of the human race, so the best way to fight the proverbial fire with fire is to actually utilise that human resource that knows how to expose security vulnerabilities in the first place.

I’m hoping to have a chat with the Bugcrowd founder in the near future, to dig deeper into the approach of the company and how it “integrates” with other product/service aspects of a security strategy, so watch this space on that topic. Meantime, I’m bracing myself for the second round of judging…