“If you want to bring your vulnerability testing into the 21st century, get a bug bounty program.” – Vic Woods, Sr. Information Security Officer at Showpad
Showpad is an all-in-one sales enablement software headquartered in Belgium with offices in the United States. The platform integrates industry-leading training and coaching software with innovative content solutions to help sales and marketing teams maximize hybrid sales.
Organizations rely on Showpad’s platform in more than 50 countries. The platform has been named a Strong Performer by Forrester’s Wave for Sales Content Solutions, recognized as a top 10 software company by G2, and listed in Deloitte’s Fast 50.
The challenge: The ever-evolving platform requires constant security testing
With more than 1,200 customers worldwide, Showpad is a data-heavy platform. Protecting that data from security threats not only gives the organization a competitive edge but it’s also pivotal for its survival and growth. Bram D’hooghe is the Director of Security, Privacy & Compliance at Showpad. He explains this point further:
Customer trust for us is key. If we don’t have customer trust, we won’t sell our product. Therefore, we need to be on top of our game with regards to our privacy and security.
Vic Woods is the Senior Information Security Officer at Showpad and is responsible for Showpad’s security testing operations. While he was already utilizing penetration tests, the platform constantly changes, and a pentest only accounts for when the assessment took place.
Showpad required an agile security testing solution that would continuously challenge the platform against vulnerabilities. This would enable the security and development team to work together to build, test, and release application features faster and more reliably.
The solution: Continuous security testing powered by a crowd of researchers
Showpad was keen to utilize a bug bounty program because it could provide the continuous security coverage that the platform needed. Taking the suggestion internally, Bram was able to explain the key difference between pentesting and bug bounty programs:
Comparing bug bounty and pentesting is like comparing a photograph to a film. A penetration test is like looking at a picture of what the product looks like in a certain moment in time — but it doesn’t say anything about tomorrow or the next coming weeks.
Having two-way conversations with researchers is also a valuable benefit of bug bounty programs that Showpad desired. For example, Intigriti has a chat function that enables companies to ask security researchers about vulnerability reports.
Showpad chose Intigriti’s managed bug bounty program services based on the quality of the platform, triaging services, and expertise at hand. Significantly, Vic added:
These were people we felt we could trust. They were people that knew what we were talking about, and they helped us with setting the scene and the scope.
At Intigriti, a dedicated success manager guides and advises new organizations at every step of their onboarding journey – but it doesn’t stop there. The manager proactively reaches out to support clients once their programs are live to ensure maximum impact year-round.
The result: Showpad’s bug bounty program is fully integrated into its security culture
Since launching, Showpad has benefited from a number of high-quality vulnerability reports which they’ve been able to remediate. However, Bram and Vic highlighted that the program’s benefits exceed the number of unique vulnerabilities submitted through the platform.
Enhanced security testing
Showpad’s bug bounty program has successfully given the security team an agile method for testing their platform and assets for vulnerabilities. With bug bounty programs, products and platforms are seen through the eyes of thousands of security researchers who will take a different approach to security testing than an internal team might do. As Bram put it:
Through our bug bounty program, our security team avoids getting tunnel vision.
Since hackers participating in bug bounty programs are paid for their findings, they are incentivized to use their creativity and find as many ways a hacker could attack as possible.
Actionable and valid vulnerability reports
Bram highlighted the quality of the reports they receive as well as the additional services that come with their bug bounty program:
Intigriti is an elaborate platform, with an extensive researcher pool, a great triage team, and a great follow-up system. For us, this is a recipe for success.
Intigriti’s triaging service ensures Showpad only receives actionable and valid reports. The service consists of handling researcher communications, vulnerability report validation, reproduction, proof of concept, impact descriptions, and recommended solutions when necessary. They also follow up with Showpad should they require further assistance with the report.
Showpad’s vulnerability reports are used in training materials
The vulnerability reports delivered to Showpad have provided them with information that has helped improve the engineering team and programming quality. This enables Showpad to build application features designed to be secure from the offset. As explained by Vic:
The program has contributed to the overall awareness of security in our company.
Expanding on this benefit, Bram says:
“The examples we get out of Intigriti are examples we now use in our training towards our engineering team so that they get this information upfront in their development life cycle.”
What’s next for Showpad’s bug bounty program?
Due to the partnership’s success so far, Showpad has decided to extend the program’s scope. Their objective is to test proactively so that when they introduce new features, they immediately get tested before launch.
Intrigued by what you have read? Want to know more about bug bounty programs? Get in touch to request a demo with a member of our team today.