The number-one independent consulting firm in France launches a new offering designed to assess website security
Despite website security being at the heart of businesses' concerns, cyber-attacks and data breaches continue to make headlines. To address this challenge, companies are constantly looking for new ways to identify and eliminate vulnerabilities in their systems. The "Bug Bounty,” which consists of inviting "bug hunters" to spot cyber-security weaknesses, and then rewarding them based on the vulnerabilities they can identify, has generated strong interest in this area. It's a clear trend, and something that hasn't gone unnoticed by Wavestone's Cyber S?ecurity and Digital Trust Team, which is announcing— today—a new offer: "Bug Bounty by Wavestone."
Bug Bounty: the hunt for vulnerabilities…
The Bug Bounty concept appeared in the US over 20 years ago, at the company, Netscape, and has gradually been adopted by the major internet players including Google, Facebook, and, more recently, Apple. The principle of such public Bug Bounty programs is simple: to financially reward internet enthusiasts who can identify vulnerabilities, as a way of thanking them for their help.
In France, companies who conduct their own public Bug Bounty programs are still very rare. The tendency here is more one of working with dedicated organizations who maintain the relationships with the bug hunters and manage such programs. These types of players emerged in the US, and have been increasingly appearing in Europe and France over the last two years. As a complement to the public Bug Bounty, these organizations also offer Private Bug Bounties, where the program is only publicized to preselected bug hunters.
"Aside from the normal penetration tests, a Bug Bounty offers an additional way to assess the safety of a corporate website, especially for more mature companies", observes Yann Filliat, Head of Security Audit Offer at Wavestone. The Bug Bounty is certainly an attractive approach for companies who can expect to be remunerated for their work on security, but only incur expenditure when vulnerabilities are identified. But attention should be paid to the risk of being over confident, something that may result in a company's "Bug Bounty budget" evaporating, if numerous vulnerabilities are identified.
Bug Bounty by Wavestone: a combination of expertise, advice and confidentiality
A preferred contact for security managers in major companies, the Cyber S?ecurity and Digital Confidence Team at Wavestone, which employs some 400 experts, understands the huge attractiveness of Bug Bounties, and also the issues that are still holding some companies back from capitalizing on it.
Drawing on this expertise, and to provide valuable support to its clients in this area, Wavestone is, today, adding to its security audits and penetration tests offer with "Bug Bounty by Wavestone".
"Our clients are interested in the principle of remuneration based on identified vulnerabilities, which can reward well-designed projects and penalize those where security has been neglected. But they also want guarantees about who will be analyzing their sites and how the results will be collated and communicated. ", advises Gérôme Billois, Senior Manager at Wavestone.
As the first consulting firm in France to develop an offer based on remuneration for identified vulnerabilities, Wavestone is bringing its trade-mark approach to the Bug Bounty landscape – combining end-to-end technical expertise, advice, and confidentiality to ensure that:
- All the auditors involved, numbering more than 40, with a diversity of expertise across a range of technical fields, will be employed on the basis of managed and formal working relationships with Wavestone and are subject to a strict code of ethics.
- The tests are performed to ISO 27001 security-certification standards, a means of ensuring audit-data confidentiality.
- Each Bug Bounty is subjected to prior approval by a Wavestone expert, a safeguard that addresses any questions posed by the end client, ensures the right choice of auditors, and guarantees that all areas within the desired scope are thoroughly assessed.
- In addition to detailing the technical issues, fault reports specify the recommendations for action; these are developed by drawing on Wavestone's expertise and the feedback gained from its extensive experience in the area.
- As well as feeding back vulnerabilities as they are identified, a closing telephone discussion takes place systematically following a Bug Bounty. This provides a comprehensive summary of vulnerabilities and, if required, helps prioritize the actions to be taken.
The Bug Bounty program will be accepting its first commissions on 1 December. You can find all the relevant information on Wavestone's website: wwa.wavestone.com in the "Areas of excellence/Cybersecurity & digital trust" section, under the "Capabilities" heading.
About Wavestone
In a world where permanent evolution is the key to success, Wavestone's mission is to enlighten and partner business leaders in their most critical decisions.
Wavestone draws on some 2,500 employees across four continents. It is a leading player in European independent consulting, and the number one in France.
Wavestone is a new consulting firm, created from the merger, at the beginning of 2016, of Solucom and Kurt Salmon's European operations (excluding consulting in the retail and consumer goods sectors).
More information at wwa.wavestone.com
Wellcom PR Agency
Sonia El Ouardi
sonia.elouardi@wellcom.fr
– SECURITY MASTER Key: mW6flMZpY2zInG1qk8hnnGOYbJmSxWaWbJeXlJSda5/JZ22VlmloaMicZm1nmW5o
– Check this key: https://www.security-master-key.com.