Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker’s eyes. Synack’s private, managed hacker-powered security solution arms clients with hundreds of the world's most skilled, highly vetted ethical hackers who provide a truly adversarial perspective to clients’ IT environments.
I started my career as an engineer at top defense contractors General Dynamic Information Technology (GDIT) and FireEye. I joined Synack because I believed in the mission of Crowdsourced Security Testing and saw its potential for keeping Americans safe. After two years of deep experience with Synack working closely with 15 government agencies and numerous government contractors, it became obvious that FISMA audit demands were increasingly weighing on federal agencies. We didn’t want agencies to have to duplicate their testing efforts just to fulfill audit requirements, so we started work to integrate FISMA into our crowdsourced security testing process. Today, I’m happy to say that Synack is the only Crowdsourced Security Testing company to fulfill FISMA audit goals and give a true, results-driven security assessment.
Defining FISMA and the National Institute of Standards and Technology (NIST) SP 800-53 Rev 4
Under the Federal Information Security Management Act (FISMA), federal agencies are responsible for their information security practices and required to conduct annual reviews in order to reduce security risks. The National Institute of Standards and Technology (NIST) came out with guidelines called (NIST) SP 800-53 Rev 4 to help agencies achieve FISMA compliance. The NIST Special Publication 800-53, Revision 4 provides a catalog of security controls for federal information systems and organizations and assessment procedures. These controls now overlap with SOC, HIPAA, and FedRAMP compliance frameworks.
Here is what an example compliance checklist could look like for a customer looking to reach FISMA compliance. Synack can contribute NIST 800-53 guidelines on Web, Host, Cloud, Mobile and API assets.
Synack is the first Crowdsourced Security Testing Company to offer FISMA Compliance
Synack has helped customers reach compliance for years as the leading provider of penetration testing in the Crowdsourced Security Testing category. Synack was the first company to bring a Crowdsourced Penetration Testing product to market, thanks to the focus given to it by co-founders Mark Kuhr and Jay Kaplan, former NSA and DoD security experts turned visionary entrepreneurs in the cybersecurity industry. Synack is also the first crowdsourced security company to be trusted with sensitive, internal assets from the Department of Defense as part of Hack the Pentagon. With the launch LP+, Synack will become the first and only crowdsourced security platform with endpoint control. Finally, Synack is the first hacker-first powered platform to scale using Artificial Intelligence to support government customers. Building upon these “firsts”, Synack is now also the first to offer FISMA compliance.
40% of organizations do not believe that their security posture has improved following a compliance audit (State of Security and Compliance, 2019), which shows the need for organizations to go beyond the minimum, static compliance audit conducted once a year. Security needs to be effective, continuous and rigorous in order for it to be trusted.
Synack’s Client Report with NIST 800-53 security controls is available via the customer portal.
Synack now offers the market’s first comprehensive Crowdsourced Penetration Test designed specifically for government, by offering a bug bounty-based vulnerability discovery model coupled with NIST 800-53 guidelines. Instead of a small internal team or a couple of contractors, you can harness some of the best talent available to improve your security posture. As part of our new NIST 800-53 offering, Synack will leverage the world’s most talented ethical hackers to run missions to provide centralized results, quantifiable metrics, pentests at scale, compliance checklists, audit-quality report and deployment within 72 hours. All of these features will be combined in a single intelligence platform. The Security Control identifiers are broken down into the respective controls and families. Synack can now help address 6 of the 18 Security control families.
Government Policy including NDAA language promotes use of Crowdsourced Security Testing
The momentum around crowdsourced security testing is strong as the federal government heads into the last quarter of the 2019 fiscal year. Crowdsourced Security Testing has been heralded as an effective, efficient, and safe way to achieve compliance and identify vulnerabilities in the civilian and military sectors alike. NIST 800-53 is closely related to NIST SP 800-171, which is the Department of Defense’s answer to a common security standard for component agencies and contractors.
In June and July of this year respectively, the House NDAA and the Senate encouraged Crowdsourced Security Testing (CST) to be widely adopted across the Department of Defense. The exact language reads, “Resources given to the program are insufficient to address the sheer size and scope of potential vulnerabilities. Therefore, in order to better secure the Department (of Defense) from cyberattacks and vulnerabilities, the committee encourages the Department to broaden its use of third party crowdsourced security platforms.” This follows recommendations from the DoD and the White House in the past year.
Get in touch with us!
We know civilian and military customers are looking for creative and innovate security tests that are comprehensive for quality and compliance, can be deployed quickly, and produce real results as the 2019 Government Fiscal year comes to a close. While many Crowdsourced Security Testing players may lay claim to Crowdsourced Penetration Testing, Synack is the only one that can be used for true FISMA compliance. Synack also provides increased security and controls through its recent launch of LaunchPoint+, which have made Synack the only Crowdsourced Security Testing platform with endpoint control.
Montgomery County processes $5B in online transactions every year, General Dynamics Information Technology (GDIT) is a multi-billion dollar business, and CSC Global serves almost all of the Fortune 500. What do their security teams have in common? A commitment to protecting their customers and their business as they become more digitized. They’re also becoming more regulated. As they are expected to secure their businesses in a changing climate, often without unlimited resources or budgets to match the growth in other areas, it’s clear that they need to innovate and come up with creative security solutions that work smarter and more effectively than they have before.
Three industry pioneers — Mike Baker, CISO of General Dynamics Information Technology (GDIT), Scott Plichta, CISO of CSC Global, and Keith Young, CISO of Montgomery County Maryland — are paving the way towards real change in security by adopting crowdsourcing and artificial intelligence in their security testing practices. These three highly regarded CISOs joined Synack CEO and Co-Founder, Jay Kaplan, at the recent Gartner Security & Risk Summit to talk about how they are using new methods to scale their security testing to protect their businesses.
Keith Young, CISO of Montgomery County Maryland Gov., talked about how his business “receives critical data from police officers – if that were to get out, someone could get killed. We cover and secure everything from a jail system to traffic lights, so it’s a complex, highly regulated environment, and we are doing it without a lot of money.” Riviera Beach and Lake City, both cities in Florida, recently paid out huge ransoms to a cyber gang to avoid 45,000 people from being forced to live completely off the grid with their PII exposed. These are the types of scenarios that Young thinks about often and actively works to defend his county against.
Scaling Security Testing with a Crowd
Traditional pen tests have failed to keep up with the ever changing threat landscape, as new vulnerabilities are getting introduced as quickly as the new software being built. At the same time, traditional pen tests of 2-3 people don’t solve for growing attack surfaces. Crowdsourcing ethical hackers from all over the world provides the ability to test multiple assets at the same time, and utilize talent in today’s resource-constrained reality.
“Right off the bat, we knew it was a good idea to leverage crowdsourcing and automation to help us solve the scale problem,” Mike Baker of GDIT, the leading edge technology group within defense giant General Dynamics, remarked. GDIT pushed for nontraditional methods of pen testing such as crowdsourcing to solve for these unique problems.
Many companies have adopted crowdsourcing methods to replicate the diversity, creativity, and skill sets of malicious actors, in the form of ethical hackers. However, most companies are now releasing code every two weeks with Agile methodology, and it can be challenging for humans to ensure continuous coverage on assets that are dynamically changing. To scale a crowdsourced security test, you need technology and automation. As Scott from CSC Global put it, security testing “still needs humans, but you can use automation as a force multiplier and then put humans exactly where you need them.” Servicing almost all of the Fortune 55, CSC Global knows what it takes to protect their customers, and stay committed to scale.
Scaling a Crowd with Artificial Intelligence
However, automation must be approached in an efficient way. Often times, scale brings noise as teams begin to secure hundreds of apps that are continuously getting updated in the SDLC.
“Vulnerability management is like shoveling sand against the tide. It’s hard to show metrics, but the biggest thing is how to manage the human element of crowdsourcing pen testers. Whether it’s using Synack or other prioritization mechanisms, how do we get to categorizing which assets are critical, high, or low using the human element?” Mike Baker posed to the audience. He’s been on the forefront of leading GDIT to think differently about how they build new technology in a smart, secure way.
It was clear during the discussion that more and more security leaders are looking for nontraditional, more effective methods of pen testing that allows them to filter through the noise that comes with scale. The US National Security Agency (NSA) is now using machine learning in automation to combat against this, and increase the efficiency of security teams that need to protect a large number of assets. “We’re going to need, at the very least, ML techniques to pull signal out of the noise so that the defenders, the operators can be informed [and] spend their time on the most critical events or anomalies rather than trying to make sense of this huge data space manually,” Neal Ziring, NSA’s Technical Director for Capabilities, told Cyberscoop. Customers are now looking to automation to help with prioritization in remediation and filtering of the noise.
In addition to helping filter through noise, machine learning-based methods of automation can also scale continuously. “I’m looking for automated, continuous feedback on where my environment is. Security today is still very much point-in-time testing and highly dependent on talent,” Mike explained. Adding a layer of automation across all assets augments crowdsourced humans and can serve as a change indicator in the attack surface, allowing coverage while still being able to leverage the creativity of human discovery in finding exploits.
Synack recognizes the dependency on talent given the continuously expanding scope of attack surfaces, but also recognizes the need for some augmentation with our Synack Red Team (SRT). More than 80% of the vulnerabilities that our Synack Red Team finds in customer assets aren’t detected by a scanner, yet we need continuous human intervention to reduce the noise. Synack has come out with a revolutionary proprietary, AI-enabled scanner that continuously scans assets and alerts the SRT to any potential exploits, while the SRT also conducts open vulnerability discovery on top of these alerts. Synack’s optimized approach leverages crowdsourcing and automation together to provide noiseless scanning in tandem with comprehensive pen testing, making for a much smarter, continuous pen test.
Let’s take a look at some of the results the panelists found using Synack’s smart security test, harnessing both the crowd and automation. The results highlight where the security teams were able to save time, and focus on the most high risk vulnerabilities.
“We have 78 scrum teams developing on a continuous basis. For us, we started with a typical 2 week pen test. two things we learned from going crowdsourced: 1) The power of a surge of people 2) Difference in pay for performance vs pay for time spent. The deeper you get, the pen tester gets paid more and you see deeper uses!” said Scott Plichta, CISO of CSC Global.
CSC Global Synack Platform Stats:
12,424 Findings via Automation
Automation piece filtered >99% of the noise and passed 4 potential exploits to the Synack Red Team
6 hours of Synack Red Team triage and validation offloaded from internal team
2 Exploitable and Human Validated Vulnerabilities passed to CSC security team (Additional 50% noise reduction)
General Dynamics Information Technology
GDIT, who acquired CSRA this past year, is a multi billion dollar business. “Scale was a problem and we’re working on solving it with crowdsourcing and automation,” explained Mike Baker, CISO of GDIT.
GDIT Synack Platform Stats:
15,584 Findings via Automation
Automation piece filtered >99% of the noise and passed 34 potential exploits to the Synack Red Team
32 hours of Synack Red Team triage and validation offloaded from internal team
1 Exploitable and Human Validated Vulnerability passed to GDIT security team (Additional 50% noise reduction)
A Smart Pen Test’s ROI
As thought leaders in the industry, Mike, Scott, and Keith encouraged the audience to focus on what’s important: security ROI. Scott talked about how much data “information solutions like Synack’s are putting in the hands of a SOC analyst. Before with traditional methods, we could only pick 10% of the environment. Now, for the same amount of money, we can hit 90% and understand where to put our resources.” The amount of data that automation and crowdsourcing provides to security teams and across organizations allows businesses to make more informative decisions on how to best use limited resources efficiently.
Because of new techniques like automation and crowdsourcing, ROI on a pen test now has a different definition. People are looking to cut through the noise, and find human validated exploits to remediate rather than expect copious amounts of low impact vulnerabilities. These days, it’s quality over quantity. As Mike stated, “I don’t see crowdsourcing as a choice – I see it as an evolution and will be mandatory as more people cannot maintain teams.”
Along with delivering ROI to executive boards, CISOs often have to lead the organization in thinking outside of the box and adopting innovative methods such as crowdsourcing. Gartner predicts that by 2021, over 50% of organizations will be using crowdsourcing and automation to secure their assets. Each CISO shared the most important elements to them when it comes to investing in crowdsourcing and automation as they look to convince their boards.
“In terms of controls – do you know who’s pen testing your sites by traditional methods? Can you play it back? Synack provides control – you can play it right back and figure out what happened at 3 am. We don’t get the same control with a traditional pen test,” said Scott. Keith talked about clearance checks, credentialing, and how having a rigorous process of validating ethical hackers puts management and legal departments at ease: “When I first brought up continuous pen testing, I envisioned a cartoon bubble photo of a hacker with a hoodie on and figured that was going through others’ minds. One of the biggest challenges is going back to management and legal and saying, ‘Here are the benefits of doing it this way.’” With Synack, a customer is able to control a crowd of ethical hackers start and pause penetration testing with a push of a button. It’s clear that adapting innovative methods have a long term ROI for smart pen testing.
The combination of automation and crowdsourcing in penetration testing are clearly paving the way for smarter pen tests; this new model offers a solution to stay ahead of the malicious actors who continue to be creative, incentivized, and persistent. Neither machines nor humans are as effective on their own as they are together, but it’s important to couple the two together in a way that provides efficiency and control to security teams. As organizations like Montgomery County Maryland, GDIT and CSC Global continue to grow their digital presence, their security is becoming as smart and effective as ever.
Military Spouses Mean More Firepower for the Cyber Mission
Every time I slide into a Lyft in San Francisco and start a conversation with my driver, it’s clear how increasingly how rare it is to have been born and raised in this city. As people move into and out of big cities in droves, companies like Lyft provide transplants the opportunity to pick up flexible, part time work to help pay rent or make new friends.
There’s beauty in the crowdsourcing industry’s flexibility for workers. You can sign up to be a Lyft driver in San Francisco, while renting out your New York apartment through Airbnb and supplementing your income by building a business on Upwork. For the economy, this means easier access to a larger labor market and fewer mismatches between supply and demand. (Waiting half an hour for a taxi during peak rush hour feels like a long lost memory).
As a veteran spouse, with many friends, family members, and colleagues in the military, I hear frequent concerns from the military community about moving yet again and are worried about finding a new job. My first question is always, “Have you considered crowdsourcing?”
Of the 641,639 military spouses in the United States, 20-25% are unemployed (compared to a 3.6% unemployment rate nation-wide). The majority surveyed by the U.S Chamber of Commerce cited their frequent moves and deployments as the biggest challenge to landing a job.
While traditional employers may find military spouse mobility to be a disadvantage, for crowdsourcing platforms, mobility is not a drawback. In fact, this community, full of highly educated, passionate, and ready-for-work talent, is an untapped opportunity!
We know that military spouses bring the same passion for service and dedication to the mission as military personnel and veterans, which makes them high-potential recruits for our own crowdsourced Synack Red Team. That’s why a couple of weeks ago, at the U.S. Chamber of Commerce and Hiring Our Heroes’ Military Spouse Employment Summit, I announced that Synack is extending the Synack Veterans Program to include Military Spouses.
The cybersecurity industry faces a colossal talent gap, with an estimated 3.5M unfilled cyber positions by 2021 (Cybersecurity Ventures). Corporations, government agencies, and military services alike are seeking talent to help combat the increasing number of cyber attacks facing our nation and economy every year.
For this reason, the White House, United States Senate, Department of Defense, and Gartner recommend crowdsourced security as a best practice and are advocating for its expanded use. By recruiting, retaining, and developing security talent around the world, enabling them with technology, and making their skills available through a scalable platform, Synack’s most trusted Crowdsourced Security Platform helps organizations fill the cyber talent gap and get ahead of the adversary.
The Synack Veterans & Military Spouse Program is the first and only crowdsourced program to recruit, empower, and deploy members of the military community to serve the cyber mission. The program offers unique benefits to those who have served or continue to serve our country, including:
Expedited application review for access to the Synack Red Team (Synack’s elite crowd of ethical hackers)
Flexible and lucrative security testing opportunities from wherever you’re based, via the Synack Platform
Annual networking events
Access to interesting enterprise and government targets
As part of Synack’s commitment to grow the Synack Red Team veterans by 200% by the end of 2019, Synack Veterans and Military Spouses receive referral bonuses for any military members who successfully make it through the Synack onboarding process to become Red Team members.
Military spouses are a perfect fit for crowdsourced security – they passionately serve the mission, are hard-working leaders and contributors in their communities, and bring talent and motivation that the security industry needs.
Many news articles introduce artificial intelligence as a threat to displacing humans’ jobs. However, in the cybersecurity industry, we’re seeing a different story play out. While the technology we use is becoming more advanced, malicious hackers are still outpacing it; it’s evident as we watch these attackers continue to expose the data of millions of consumers almost daily and even impact the integrity of our election infrastructure. To keep up with the pace of cyber threats, many companies have adopted crowdsourced penetration testing to replicate the diversity, creativity, and skill sets of malicious actors, in the form of ethical hackers. It’s clear AI won’t ever be able to replace the creativity of the mind of a hacker, but what if AI could help augment ethical hackers?
Crowdsourced testing is a creative way to utilize the talent of a global network of ethical hackers in today’s resource-strained reality – there are 3.5 million unfilled cybersecurity jobs expected by 2021 according to Cybersecurity Ventures. However, bug bounty and crowdsourced security models often don’t have the framework to support a key component – Agile methodology in the software development lifecycle (SDLC). As most companies are now releasing code every 2 weeks, unknown vulnerabilities are now appearing in different parts of an attack surface, constantly. It can be challenging for humans to ensure broad, continuous coverage on assets that are dynamically changing without a huge incentive model, especially when there are no asset change indicators to alert them, coupled with a lack of technology with these methodologies
Outside of security, crowdsourced companies like Uber, Pinterest, and Airbnb have been utilizing automation and smart technology to augment humans for years. More importantly, the crowd in these platforms are trusting the technology to help them – cars now come equipped with sensors to help people park efficiently, and humans are looking to machine learning algorithms to recommend safe lodging in foreign countries. How can we utilize the same trust component in security?
Traditionally in security, machines and humans have worked separately to try and solve the same issues. Machines like scanners have been used to scale across attack surfaces, but they’ve proved to be noisy and inefficient, over burdening security teams and wasting precious security resource cycles, resulting in the potential for security teams to miss remediation on higher priority vulnerabilities making companies and consumers vulnerable. Until now, there hasn’t been a crowdsourced pen test model that marries machine intelligence and automation with the creativity of human discovery, in a way where humans can trust machines. Security hasn’t kept up with the advancement of the digital transformation… Until today!
We’re very excited to announce the latest version of our crowdsourced security platform that delivers a smarter, more efficient security test by leveraging smart technology in the Synack platform and our new product, SmartScan. We are revolutionizing the way people have inherently thought about crowdsourced penetration testing. Our new crowdsourced testing solutions recognize that the intersection of a crowd and technology is a critical part of smart security testing. Neither machines nor humans are as effective on their own as they are together – it is important to couple the two together in a trusted way. Synack’s enhanced tests are building trust between humans and machines and providing smarter security to customers.
How we build trust between humans and machines
Human creativity is unsurpassed. We count on humans to find certain types of vulnerability categories that wouldn’t normally be detected by a scanner, such as Business Logic, where a human has to go through the legitimate app specific workflow to reach a negative conclusion. However, at the same time, humans are unable to scan lots of targets quickly as they cannot automatically recognize a vulnerability as exploitable. Time must be spent on different targets in order to find a hole, which can be difficult to do at the speed necessary to keep up with the crazy pace of today’s software development lifecycle (SDLC). Scanners on the other hand, are able to scan across multiple apps very quickly to check for security flaws. However, the output is less than ideal. Pages and pages of vulnerabilities are reported, with little guidance to security teams on which vulnerabilities offer the highest risk of breach or what should be prioritized.
How do we provide continuous security testing in an efficient manner, to our customers on apps that are continuously updating in the SDLC? SmartScan uses an optimized technique of both Hydra, our proprietary scanner, and the Synack Red Team, our highly vetted, exclusive crowd, to look for the needle-in-the-haystack type of vulnerabilities. Hydra alerts the SRT to suspected vulnerabilities, vulnerabilities the machine has flagged as highly probable for exploitation. The SRT will then triage these findings to find the vulnerabilities most at risk of a breach. This technique in conjunction with our continuous engagement from the SRT provides an additional layer of rigor to our crowdsourced security tests. As a result, our penetration tests have become much more effective and efficient, leveraging our best of both worlds – vulnerability assessment, bug bounty and penetration testing all together in one crowdsourced model.
Customers have talked about how the vulnerability intelligence they’re seeing with us is helping them to integrate security in the development process by spreading this information across the organization. Not only have we already seen success with our customer betas finding exploitable vulnerabilities they normally wouldn’t have found without Platform 2.0, but we’ve also seen success for our researchers as well. Ethical hackers find higher severity vulnerability types than scanners such as complex authentication, which often lead to exploitable vulnerabilities. As an example, the severe BlueKeep Remote Desktop Services vulnerability of May 2019 relates to Input Validation (according to NVD). Scanners check for many kinds of input validation, but humans can creatively seek any kind of input validation error. With SmartScan’s optimized technique, Hydra is able to reduce 99.63% of vulnerabilities for the SRT allowing them to focus on exploiting only the suspected vulnerabilities, increasing their efficiency by 86%. The more examples we see of humans trusting machines to augment their capabilities, the scope of problems we can solve will widen. Synack was founded in always solving the right problems – and we wanted to help our customers secure their apps just as often as they update and create new code, security on a continuous cadence, while optimizing our Red Team through our technology. Our next version of the Platform does just that.
Having worked in the financial services industry in both end-user and consulting capacities for over 15 years, I know the scrutiny frontline cybersecurity teams are subject to. When operating a penetration testing program, first and foremost, the team needs to ensure that complete, thorough and accurate technical results are being produced. This is achieved by incentivising the discovery of high impact, exploitable vulnerabilities that present a risk to business operations and data and by ensuring that the entire attack surface is subject to review using a repeatable approach using highly capable security experts.
However, it doesn’t end there. The penetration testing program needs to ensure operational risks are being appropriately managed, risks such as: How can you ensure approved testing activity is not mistaken for a malicious attack (or vice versa) and how do you manage the risk of testing activity causing an unexpected impact to production? It is vital to be able to demonstrate that robust operational controls have been implemented to a level that will be acceptable to second and third lines of defense, typically operational risk and audit.
Synack has provided a proven solution to these challenges for years now with Synack LaunchPoint. LaunchPoint offers a controlled means of managing access from our private crowd – the Synack Red Team (SRT) – to customer targets through our original secure VPN testing gateway. LaunchPoint enables monitoring of all network communications with full packet capture, provides analytics of attack surface coverage and the vulnerability classes exercised, and has given customer operations teams the ability to whitelist test traffic and pause/resume testing at any time.
Last week, the Synack team announced LaunchPoint+, and I am really excited about our company’s latest capability and what it means for the future of crowdsourced testing.
For customers who are operating in a highly regulated business sector such as the financial services industry, the ability to have enhanced security controls applied directly to the attack workstation will help ensure all data privacy and compliance requirements are met and consistently enforced. All data created, transferred or downloaded during a penetration test is protected and monitored within our secure, isolated desktop environment – this provides the highest level of security control possible. This approach enforces isolation of tasks between test and client data to remove the risk of data contamination and once testing is complete, LaunchPoint+ can be shut down and deleted with all data securely destroyed.
LaunchPoint+ not only delivers on data protection requirements, but also implements centralized control of the security posture of the virtual workstation to ensure it is patched to the latest level, the build configuration is security hardened and is subject to modern malware detection, prevention and monitoring.
Synack is unique in that it has always focused on delivering a better, smarter penetration test. LaunchPoint+ now enables our crowdsourced security testing to be delivered with greater data protection and security controls than ever before, meeting and exceeding the security standards typically deployed on the penetration testing platforms used by large enterprises and traditional penetration testing providers. The combination of our thoroughly vetted researchers and tightly managed and controlled testing process delivered through LaunchPoint+ makes the adoption of Synack’s trusted, crowdsourced security testing in a highly regulated environment a reality.
Privacy has become the topic du jour in technology circles. Apple now calls themselves a privacy-as-a-service company and recently highlighted a move toward putting users in control in iOS 13. Similarly, the notions of trust and privacy in the crowdsourced security marketplace are quickly evolving, and for the better. Synack has offered our LaunchPoint VPN secure testing gateway on every engagement since its inception to protect researchers and customers. That’s why the DoD trusted the Synack crowd and technology to test mission-critical, sensitive assets during Hack the Pentagon program in 2016. We know that trust and privacy are always critical when it comes to security testing, and that continues to be true when you invite a much needed diverse crowd in to do the testing. That’s why we’re very excited to announce an enhanced secure testing gateway and introduce LaunchPoint+ to provide a managed workspace environment for trusted crowdsourced testing of enterprise and government assets. In short, Synack’ LaunchPoint+ now offers our customers the option for greater data privacy through full endpoint control.
What is Synack LaunchPoint?
Synack Red Team (SRT) researchers are required and have always been required to conduct all client asset testing through LaunchPoint, which gives customers control over their penetration testing traffic.
For Synack clients: LaunchPoint offers testing data analytics such as testing hours logged, attack type analysis, testing coverage maps, and pause/restart capabilities for all testing traffic.
For Researchers: Companies that require the most stringent testing security are willing to work with crowdsourced researchers with LaunchPoint controls in place. This brings income and opportunity to the Synack Red Team.
LaunchPoint continues to be the best in class VPN for crowdsourced security testing. For enterprises subject to increasing data privacy regulation, we have developed LaunchPoint+ to address these challenges.
Synack’s LP+ Feature – How does it actually work?
Instead of using individual workstations for testing, researchers log into Synack-managed cloud workspaces to perform testing (i.e. Amazon workspace managed and owned by Synack).
All research traffic flows through the LaunchPoint+ gateway, which provides full packet capture, real-time tracking and analytics.
Once testing is complete, customers have the option to delete all their data logs in the workspace.
These workspaces and work flow are specifically designed to help optimize for more hours on target through greater testing speed, more secure workspaces, and an overall better tester and customer experience. More benefits are outlined below.
What are the new benefits customers can expect through LaunchPoint+?
Consistent with the Synack focus on delivering unpromising trust and privacy for SRT and customers alike, LP+ offers a number of new benefits that could work for enterprises or governments with especially stringent data privacy
Data Privacy & Compliance Objectives – Compliance with regulatory frameworks such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) call for companies to provide enhanced transparency about how data is used.
Secure Workspace – Trusted, secure testing environment managed by Synack ensures researchers perform all of their security assessments from a Synack-managed trusted endpoint.
Data Cleansing – Customers have the option to delete their data when testing concludes, without any researcher intervention.
Faster, Increased Bandwidth – Virtual workspaces provide increased bandwidth compared to what Synack’s SRT would normally use.
Enhanced Malware Protection – Virtual workspaces come with malware detection installed providing extra piece of mind to researchers and customers alike.
LaunchPoint Services – Complete visibility into the amount of researcher testing activity. All actions are time-stamped for audit purposes. All of the same features from Synack’s original LaunchPoint are available on LP+.
Getting Started with Synack’s LaunchPoint+
For Synack customers, please contact your Program Managers for further information. If your subscription supports LP+ (ask your Synack Program Manager for details), only an opt-in is required. Synack will do the work on the back end. You can use LP+ on web, mobile, host, and API tests.
If you would like to learn more about the most effective and trusted crowdsourced security testing available or would like further information, feel free to visit our help center or contact a Synack representative.
Efficient, effective penetration testing is hard to find. Customers are often forced to choose between price, quality, and scalability. I know this from personal experience as the former Head of Penetration Testing at JPMorgan Chase.
When crowdsourced penetration testing hit the market, I immediately saw that it should form an important part of an organisation’s security assurance program. The rigor of the test from a crowd of security testers, motivated by an incentive-driven model, paired with the scalability and efficiency of a technology platform, can deliver significant ROI to an organization. I knew this approach would set a new standard, and when the opportunity presented itself, I decided to join the Synack team full time.
For those who are not across the pond, CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security industry. CREST was set up in 2006 in response to the need for more regulated penetration testing services and is now recognised globally as an important cyber assurance body for the technical security industry. CREST provides internationally recognised accreditations for organisations and professional accreditations for providing penetration testing, cyber incident response, threat intelligence and SOC services. Synack’s accreditation for its penetration testing services has incredible benefits for customers and significant implications for Synack in the Crowdsourced Security Testing market at large.
What are the implications for Synack’s customers and prospects?
This is an independent, verifiable third party assessment of Synack’s security testing capability by one of the most respected not-for-profit accreditors in the security industry. This means that services will be delivered by a trusted company with best practice policies and procedures.
The work is conducted by highly-qualified individuals with up-to-date knowledge, skill and competence to deal with all the latest vulnerabilities and techniques used by real attackers. Our customers know them as the Synack Red Team – an elite crowd of security researchers vetted for both skill and trust.
Finally, the accreditation will provide an additional way to keep Synack accountable to high quality standards across the board. Customers have recourse as both company and individual accreditation are underpinned by a code of conduct and complaints procedure.
As mentioned in a recent article in CyberScoop, Synack has always sold tests not bugs. It started offering and refining its Crowdsourced Penetration Test years ago. Through this accreditation, Synack’s company policies and procedures, testing methods, approach and testing personnel have been given an unbiased gold seal of approval. This accreditation further reinforces that innovation matters, and Crowdsourced Penetration Testing startups can provide a similar or superior level of service when compared to other well respected consultancies using a more efficient and effective approach.
The only security platform to seamlessly coordinate human intelligence and artificial intelligence for 24/7/365 security augmentation.
REDWOOD CITY, Calif. — May 15, 2019 — Synack, the most trusted crowdsourced penetration testing platform, announced today it was named to the 2019 CNBC Disruptor 50 list. This is the fourth time the company has been recognized for disrupting the status quo in traditional security testing by scaling resource-strained security teams with Synack’s elite crowdsourced ethical hacker team augmented by Synack’s AI platform.
Synack is the first penetration testing solution to offer seamless integration of human intelligence and artificial intelligence at a continuous 24/7/365 cadence to solve the issue of scale for security teams.
“Synack is making us smarter and faster. Continuous testing using the Synack platform and the Synack crowdsourced red team, allows us to get more detailed information about our vulnerabilities and weaknesses. We now flow that information to members of the security team using the Synack portal, and to our developers through Jira, closing the loop, and resulting in faster remediation and more secure code development,” said a Synack Fortune 500 customer.
Highlighting Synack’s position as a market leader, when Gartner’s Crowdsourced Security Testing Platform (CSSTP) category was released last year, Synack was the only security company profiled in the category.
Unlike a simple bug bounty program, Synack doesn’t just recruit a crowd – it retains, develops, harnesses, and directs the crowd through technology. Synack Missions provide structured testing methodologies to its customers for strict adherence to compliance standards such as PCI and NIST. “Synack’s highly structured approach to crowdsourced testing puts the customer’s security team in control, and delivers fast, actionable intelligence and analytics,” said Jay Kaplan, CEO and Co-founder of Synack.
The company has also launched the industry’s first Attacker Resistance Score, which helps organizations measure and understand their security from a hacker’s perspective. Industries’ top brands are using this new scoring standard to build brand trust with customers. On average, Synack customers that have utilized crowdsourced penetration testing for two or more years are up to 2x stronger against cyber attacks than they were in their first year.
“No company or individual is safe from the onslaught of cyber threats today regardless of size or brand value,” said Dr. Mark Kuhr, CTO and Co-founder of Synack. “The adoption of Synack’s groundbreaking model has become increasingly prevalent across government agencies, global enterprise leaders, and high-growth organizations who realize they must act now – and act differently – when it comes to cybersecurity.”
Today, Synack secures close to $1 trillion in Fortune 500 revenue, 75% of the top credit card companies, top 10 consulting firms and security companies, and over 50% of federal cabinet-level agencies. Today’s CNBC Disruptor 50 accolade follows Synack’s recognition as a 2019 Cyber Defender by CB Insights, CREST-accredited penetration testing provider, CIO Review’s 20 Most Promising Enterprise Security Solution Providers, The Software Report’s Top 25 CyberSecurity Companies, and Wealthfront’s 2019 Career-Launching Companies.
Synack, the most trusted crowdsourced security platform, delivers comprehensive and continuous penetration testing with actionable results. The company combines the world’s most skilled and trusted ethical hackers with AI-enabled technology to create a scalable, effective security solution. Headquartered in Silicon Valley with regional offices around the world, Synack protects leading global banks, federal agencies, DoD classified assets, and close to $1 trillion in Fortune 500 revenue. Synack was founded in 2013 by former US Department of Defense security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO. For more information, please visit www.synack.com.
We are excited to announce that Synack, the most trusted crowdsourced security platform, has been named as a 2019 CNBC Disruptor 50 for the fourth time. Synack is proud to consistently be recognized as a market leader and this prestigious CNBC award is an acknowledgment of the impact Synack has on strengthening the security posture of an impressive list of enterprise customers. Our customers call our human-AI platform the best of both worlds. It’s the first security platform to offer seamless integration of human intelligence and artificial intelligence at a continuous 24/7/365 cadence. With our AI-enabled continuous testing model, we have secured close to $1 trillion in Fortune 500 revenue, 75% of the top credit card companies, top 10 consulting firms and security companies, and over 50% of federal cabinet-level agencies.
To celebrate our fourth time on the Disruptor 50 list, we felt it would be fitting to highlight four Synack disruptions from this past year:
Created a new Gartner category: Synack helped define and pave the way for Gartner’s Crowdsourced Security Testing Platform (CSSTP) category that was released last year. Furthermore, Synack was the only security company profiled in the Application Crowdtesting Services category, highlighting our long term vision of where we believe the security industry should be going.
Developed the industry’s first Attacker Resistance Score: Historically, it’s been difficult to measure an organization’s security strength and improvement over time. The Attacker Resistance Score helps organizations measure and understand their security from a hacker’s perspective. Synack’s new metric disrupted the way organizations presented the security of their organization to their security executives and boards.
Synack gathered and analyzed our unique crowdsourced penetration testing data based on thousands of tests on assets owned by hundreds of companies across nine industries to generate an industry-disrupting, first of its kind report to actually quantify organizations’ trust at the asset level, from a hackers’ perspective, and measure security performance over time.
Secured the Election: Synack launched the “Secure the Election” initiative, a bipartisan effort to bring together the best American security talent and tools to help American states build their attacker resistance. During the months leading up to the midterm elections, Synack offered pro bono crowdsourced security testing services to any state that wanted to harden its election system against attack. Throughout the campaign, Synack partnered with 10 states to get a hacker-powered perspective on their security. Synack is committed to securing the American Way and helping states to address their vulnerabilities, which is why we will continue to disrupt elections by bringing crowdsourced security testing to help secure our elections through the 2020 Presidential election, a $550k pro-bono commitment that has grown to >$1 million total.
Launched Synack Missions to streamline security testing in continuous software deployment models: This past year, Synack launched Missions, the first tasking technology to direct a crowd towards specific activities. Applied to penetration testing, Missions provides structured testing methodologies to its customers for strict adherence to compliance standards such as PCI and NIST. “Synack took the unstructured way that crowdsourcing normally worked and added a controlled and defined method of using the crowd,” said Jay Kaplan, CEO and Co-founder of Synack. However, compliance is just the first use case for a product feature that can vector a crowd towards targeted activities. Missions will continue to disrupt and open up new security applications for the AI-enabled platform.
Follow @thesynackcrowd on Instagram to see what being a Disruptor means to us.
Every year, 250,000 servicemen and women leave the armed forces. Of those who leave, 65% struggle to find jobs, despite their highly specialized skill sets in fields like cybersecurity. In my view, active duty military, veterans, and spouses comprise a largely untapped market for technology companies and startups. Their hands-on training in cybersecurity, particularly in protecting highly valuable assets such as weapons systems or voter registration databases, should make them highly sought-after recruits.
As a Veteran myself, I have witnessed these struggles firsthand. The tech industry is growing at a rapid pace, but the division of skills received in the military aren’t easily and directly mapped to industry jobs. Private and other non-military company recruiters are left struggling to translate resumes and whether service members have the qualifications to succeed at their organization. Cybersecurity and ethical hacking are skills many service members are equipped with, and translate more directly with non-military organizations. When I first started my career in Silicon Valley, I was grateful for help from others, including thoughtful introductions and mentoring. I now have the distinct pleasure to not only program manage the Synack Red Team community, but also to lead the Synack Veterans Cyber Program. My vision for the Veterans Referral Incentive program is to help military personnel and their referrals find reliable, challenging and educational employment whether they are serving now or in any other service status.
I’m sure many of my fellow veterans got a start in industry through personal introductions, mentoring, and referrals. We want to recreate and formalize that experience at Synack by launching our Referral Incentive Program under the Veterans Program umbrella. This program will be the first of its kind in the bug bounty and crowdsourcing space. Beginning this week, all Synack Veteran Professionals will be given the opportunity to refer other military spouses, active, reserve and veteran members of the armed forces who possess penetration testing skills. All referring SRT members will receive cash bonuses for every referred candidate who makes it through the Synack Red Team on-boarding process, and all new referred candidates are eligible for a cash bonus once they submit their first valid vulnerabilities on the Synack platform.
We’ve noticed a pattern here at Synack that comes up repeatedly: our veterans community helps each other out and shares information with each other more than any other subset in our hacker network. The nature of our veterans community is close knit, and we want to encourage and build upon that strength. The aim of this referral program is encourage Synack’s Veteran and Active Duty professionals to raise awareness of the opportunity in the Crowdsourced Security space through trusted and true connections.
Synack has a mission to provide opportunity and training to service members, and with a goal to grow the Synack Red Team veterans by 200% by the end of 2019, Synack will help to further technical skill sets beneficial to the SRT and clients they help to protect. With more service members answering the call, global industries and the United States DoD/Government entities will have the best of the best at their disposal. The Synack Red Team is comprised of some of the most skilled researchers around the globe, and the SVP contributes to those numbers by aiding private sector organizations and government institutions who may have certain requirements that call for protected asset testing involving only United States or security-cleared citizens.
Beginning this week, Synack Veterans now have the opportunity to receive referral bonuses for any military (active duty, reserve, veteran) members who successfully make it through the Synack onboarding process to become Red Team members/Synack Veteran Professionals and receive their first accepted vulnerability during their first 30 days on the platform.
All referrals who meet this criteria, along with successfully discovering their second vuln during the first 60 days on the platform, will also receive a bonus (all accepted vulns will receive standard payout for work utilizing CVSS scoring).
Awarded bonuses in the amount of $500 will be paid to the referring Synack Veteran once their referral joins the SRT and receives confirmation of their first valid vuln 30 days from their start date and $250 will be paid to the referred Synack Veteran upon successfully discovering their 2nd valid vuln 60 days from start date.
In order to submit a service member or their spouse for the referral program, Synack Veterans can go to Refer A Vet and fill out the form to begin the process.
Any questions and inquiries about the Referral Incentive Program or the Synack Veterans Cyber Program can be sent to email@example.com.