Menu Icon
< back to main
 • 4 min read

The Benefits of Crowdsourced Pen Testing Illustrated through Tetris

In this blog post Claus Cramon Houmann uses the popular video game, Tetris, to illustrate the advantages of crowdsourced pen testing. Claus…

The Benefits of Crowdsourced Pen Testing Illustrated through Tetris
Cobalt
Cobalt

Cobalt provides a Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model by providing streamlined processes, developer integrations, and on-demand pentesters. Our blog is where we provide industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

In this blog post Claus Cramon Houmann uses the popular video game, Tetris, to illustrate the advantages of crowdsourced pen testing. Claus has many years of experience consulting in the technology security space. He is currently working for Peerlyst as a community manager.

Penetration testing is not easy

Anyone who tells you hacking is easy is misguided. There is a wide array of knowledge one must acquire to even get started — coding languages, attack vectors, testing methods, frameworks that you need to have hands-on experience with, and last but not least learning how to gain access to code given obfuscation and encryption. The above list of knowledge only brushes the surface of the challenges of mastering pen testing. Very little of hacking is point-and-click.

Each skill acquired is hard won. Many hackers or security researchers have a basic understanding of testing all vulnerabilities, but choose one area as their “specialty.” For example, testing XSS vulnerabilities can be an area of expertise that a hacker chooses to master.

Mastering the art of hacking is a difficult task. If you still don’t believe me, I know an individual who is trying to move from being a sysadmin to penetration testing — and I respect his passion and dedication. He is sharing his struggles of becoming a pen tester through blogging. So if you are convinced that pen testing is a simple skill to pick up you can check out his posts here and here.

Using a Tetris analogy for XSS

Let’s break it down — say that XSS is the light blue Tetris block. {And make note, there ARE times when all you need is a light blue block in Tetris}

Tetris 2

Tetris: It’s time to play

You could potentially play a whole game successfully if you only had light blue blocks. Just like you could play a game successfully with solely dark blue blocks — but that’s just not how a company’s attack surface works.

Your company’s attack surface is made up of a variety of colors and shapes — and is much wider than the 10 block row that makes up Tetris. Not only that, but your pieces are constantly changing color and shape with every little change made to your IT environment. For example, making a small change to your software code can result in new vulnerabilities you have little knowledge about.

Testing your company’s attack surface requires playing some real-life Tetris. You need to look at the blocks you have and be able to utilize the relevant shapes and colors. If you hire any average pen testing company to play your game of Tetris you might get some experts in red blocks, green blocks, and light blue blocks — but they may have very limited skills in orange blocks. Maybe your company’s Tetris game has a lot of orange blocks. Then the red, green, and light blue block experts are not really going to assist your company in the best possible way — and it’s “game over” for you.

Tetris 3

The true value of crowdsourced pen testing

This is the true value of crowdsourced pen testing. When you crowdsource security researchers you are able to gain access to experts who fit your company’s specific needs. If your Tetris game is comprised of mostly orange, light blue, and green blocks then you should have experts in those areas. Of course they will be knowledgeable in all areas, but hold expertise in security aspects that are most relevant to your business. These researchers will be able to come in and turn incoming blocks to help remove those pesky rows that make your attack surface unmanageable if the vulnerabilities keep stacking up everywhere. In my opinion, crowdsourced pen testing gives a business the most optimal people to ensure that the bottom rows keep being consistently removed and rewarding your company with points. Removing a row in Tetris translates directly to a risk mitigated which translate to a measurable and reportable business benefit — and metrics make CISOs and executives happy.

Interested in seeing how a crowdsourced pen test can help your business? Schedule a demo with Cobalt today!

Check out other posts by Cobalt If you want to learn more about crowdsourced pen testing or learn more about our customer's experience saving time and money using the Cobalt Pentest as a Service (PtaaS) platform.

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens