Nexmo provides innovative cloud communication APIs so that applications and enterprises can easily connect to their customers via SMS or voice. Their customers include companies such as Airbnb and Alibaba that use Nexmo’s APIs to send millions of messages per month.
With so many users, creating a secure and reliable customer experience is a top priority. Nexmo strengthened their web security by adopting an ongoing crowdsourced bug bounty program and using Cobalt pen test services powered by Cobalt.
As a growing company adopted by many customers, Nexmo is always looking to strengthen its security as it continues to build innovative cloud communication APIs. The team has already adopted strong security practices. But with rapid development cycles, they found a growing need to conduct frequent security assessments and find potential vulnerabilities.
With millions of messages being sent using Nexmo’s platform, the team also wanted an approach that signaled to its customers that they embrace strong security practices. Eric Nadalin, CTO of Nexmo, states,
"Nexmo prioritizes customer experience and safety. We are always looking for ways to integrate best security practices and showcase this to our customers."
One of Eric’s biggest challenges was to find a security testing approach that would most effectively find vulnerabilities while taking into account resources and costs without compromising on quality. These requirements led the team to look into crowdsourced security.
Overall, Eric’s team was looking for:
- Continuous assessment of their security that delivered actionable insights on potential vulnerabilities.
- Access to highly-skilled security specialists with diverse backgrounds
- Ability to showcase their strong security focus to customers.
A step-by-step approach
Nexmo adopted Cobalt’s bug bounty program to bring the power of a top-tier security crowd to its security practices. Nexmo first signed up for the private bug bounty program limited to a smaller group of the Cobalt core security researchers. This would allow his team to familiarize themselves with the program and easily integrate it into their agile development cycles.
The private security program was later promoted to a larger and larger number of skilled security researchers.
"As a startup with limited resources, I knew that integrating new security testing into our development process could be a challenge. Cobalt enabled us to launch a bug bounty program in a step-by-step and controlled manner. This program enabled us to connect with trusted and highly-skilled security researchers."
Cobalt Pen Tests
After successfully running the bug bounty program for 4-5 months, Nexmo decided to sign-up for fixed price Cobalt Pen Tests. This service added a CISSP-certified researcher supported by domain experts to conduct periodic penetration tests according to a checklist based on industry best practices and specific application logic. The pen tests were performed twice as fast as traditional pen tests, at half the price.
Through these pen tests, Nexmo could quickly capture a snapshot of their security. The pen test report included information such as: key tests results across OWASP top 10, an overall security rating, and recommendations to remedy any vulnerabilities. With this report, Nexmo could easily present the current security level to their customers.
"Cobalt's pen test solution provided us with clear results that we can share with customers. It is exactly what we needed to show our dedication to strong security."
Today, Nexmo has successfully instituted the power of the crowd for its security practices. As a result of the bug bounty program and the Cobalt Pen Test services, Eric and his team have been successfully able to:
- Identify vulnerabilities in the Nexmo communication platform using a small staff and limited budget.
- Institute an ongoing model to receive reports from a well-regarded security crowd on potential vulnerabilities.
- Showcase their strong focus on security to customers.
"Cobalt has allowed my team to easily strengthen our security testing and seamlessly integrate it into our development. The best part is knowing that we are giving our customers an even safer experience."
- Rapidly evolving platform built using agile development cycles
- Sourcing diverse security skills with limited resources and budgets
- Showcasing their focus on security to customers
- An ongoing crowdsourced bug bounty program to find and fix vulnerabilities.
- Periodic pen tests, to check the security level of the platform and display the results to customers
- Lower $ cost per vulnerability found
- Continuous security monitoring
- Pen test reports to share with customers