Detectify, the SaaS security company powered by ethical hackers, closed 2021 with significant corporate momentum propelled by its Crowdsource community. In 2021, Detectify detected 44% more unique medium and high severity vulnerabilities in its customers’ systems compared to 2020, demonstrating the outsized impact crowdsourced security can have on an organization’s security posture.
“Crowdsourced security provides a way for security teams to expand their efficiency, especially when it comes to managing their external attack surface,” said Rickard Carlsson, Co-founder and CEO of Detectify. “Hackers have eyes and ears all over the web, and they’re constantly monitoring attack surfaces for exploitable entry points. Leveraging ethical hackers as part of an overall security program gives organizations the ability to identify and remediate security issues in a wide range of technologies before they risk being exploited by attackers.”
Handpicked by Detectify, the Crowdsource community is comprised of freelance ethical hackers passionate about making modern technologies and the Internet a safer place. Each ethical hacker is focused on finding web vulnerabilities across the tech stack, i.e. in a CMS, framework, or library. Once flagged and reviewed, accepted vulnerabilities are integrated into Detectify’s products as security tests to protect customers from the latest threats.
“Crowdsourced security provides a way for security teams to expand their efficiency, especially when it comes to managing their external attack surface,” said Rickard Carlsson, Co-founder and CEO of Detectify. “Hackers have eyes and ears all over the web, and they’re constantly monitoring attack surfaces for exploitable entry points. Leveraging ethical hackers as part of an overall security program gives organizations the ability to identify and remediate security issues in a wide range of technologies before they risk being exploited by attackers.”
Handpicked by Detectify, the Crowdsource community is comprised of freelance ethical hackers passionate about making modern technologies and the Internet a safer place. Each ethical hacker is focused on finding web vulnerabilities across the tech stack, i.e. in a CMS, framework, or library. Once flagged and reviewed, accepted vulnerabilities are integrated into Detectify’s products as security tests to protect customers from the latest threats.
Detectify received 35% more submissions from its ethical hacker community in 2021 compared to 2020. Notable findings from the Detectify Crowdsource community include:
- Froxlor 0-day - In March 2021, Detectify Crowdsource hacker Valerio Brussani used a dangling markup technique to discover and report a 0-day in Froxlor – a server administration software – now assigned as CVE-2020-29653 which could allow attackers to steal login credentials and impersonate a victim user.
- Cloudkit - In September 2021, Detectify co-founder Frans Rosen identified three bugs in iCrowd+, Apple News, and Apple Shortcuts with different criticality while hacking Cloudkit. All bugs were reported to and fixed by the Apple Security Bounty program.
- Grafana 0-day - In December 2021, Grafana released an emergency security patch for critical vulnerability CVE-2021-43798, after proof-of-concept code to exploit the issue was published online. Grafana was first made aware of the 0-day by a Detectify Crowdsource security researcher, Jordy Versmissen, who found and reported it to Grafana.
When critical vulnerabilities become known before a patch is available, the value of crowdsourced security really comes through, said Carlsson. He added:
“Companies that rely solely on internal research teams and test against known CVEs are in a much tougher position when incidents like, for example, Log4j happen. We received a proof-of-concept for Log4j from a researcher in our community and were running it as a security test in our customers’ systems within hours after it was made public. In the past couple of weeks, we have implemented over 50 test modules for this vulnerability, covering dozens of technologies.”
“Companies that rely solely on internal research teams and test against known CVEs are in a much tougher position when incidents like, for example, Log4j happen. We received a proof-of-concept for Log4j from a researcher in our community and were running it as a security test in our customers’ systems within hours after it was made public. In the past couple of weeks, we have implemented over 50 test modules for this vulnerability, covering dozens of technologies.”
Strengthened EASM offering and 60% women in the product team
In 2021, Detectify also formalized their evolution from a dynamic application security testing tool to a comprehensive External Attack Surface Management (EASM) solution. Highlighted by Gartner as an emerging category in security, EASM helps organizations identify potential risks coming from internet-facing assets and threats such as shadow IT, exposure management and expanding attack surfaces. Detectify looks to 2022 and beyond to continue the advancement of their EASM solution that excels in the discovery of web-facing assets and assessment of web vulnerabilities and anomalies leveraged by attackers.
In addition to the growth seen in the Crowdsource community, Detectify added 30 new team members, 33.3% of which were female. In addition, 50% of executive hires and 33.3% of engineering hires were female. The product team also increased from 42% women in 2020, to 60% in 2021. In comparison, women are reported to represent only 24% of the cybersecurity workforce overall.
In 2021, Detectify also formalized their evolution from a dynamic application security testing tool to a comprehensive External Attack Surface Management (EASM) solution. Highlighted by Gartner as an emerging category in security, EASM helps organizations identify potential risks coming from internet-facing assets and threats such as shadow IT, exposure management and expanding attack surfaces. Detectify looks to 2022 and beyond to continue the advancement of their EASM solution that excels in the discovery of web-facing assets and assessment of web vulnerabilities and anomalies leveraged by attackers.
In addition to the growth seen in the Crowdsource community, Detectify added 30 new team members, 33.3% of which were female. In addition, 50% of executive hires and 33.3% of engineering hires were female. The product team also increased from 42% women in 2020, to 60% in 2021. In comparison, women are reported to represent only 24% of the cybersecurity workforce overall.