Developing and updating software using an agile methodology has become increasingly popular and indeed has benefits compared with a traditional waterfall approach, including productivity efficiencies, flexibility and continuous improvement. But when it comes to validating software security, agile methodology also presents challenges. 

With an agile Software Development Life Cycle (SDLC) also comes concurrent workflows, adjusting goals and frequent deliverable changes. Predictable static security testing methods that may have been suitable for a waterfall approach quickly fail to keep pace in a more dynamic agile SDLC.

To meet this challenge, we have partnered with Jira, the leading software development tool used by agile teams, to make continuous security validation an integrated part of the SDLC. Synack continuously tests application security throughout the development and update phases, so vulnerabilities can be discovered earlier in the life cycle even as the projects are frequently changing. Unlike traditional static security testing approaches, which run infrequently and with rigid scope, our security testing runs continuously with dynamic and open scope.

We offer insights and intelligence by delivering reports of exploitable vulnerabilities discovered through our premier security testing platform that seamlessly integrates the adversarial perspective of the world’s elite community of security researchers, the Synack Red Team (SRT), with our continuous scanning technology.

Our approach combines machine intelligence to surface well known and suspected vulnerabilities, with human expertise for open vulnerability discovery and detailed reporting about actual exploitable gaps in application security. The SRT provides specific recommendations to fix vulnerabilities and will retest as the software team applies patches. In this manner, software security posture can be continuously validated and improved throughout the SDLC rather than waiting until vulnerabilities manifest themselves late in the development process or worse yet, after being released to production.

Sample security vulnerability ticket in Jira

The Synack App for Jira integrates Synack vulnerability findings with SDLC workflows so that security issues can be remediated more effectively and efficiently. By integrating Synack and Jira instances, we’ve removed the inefficiencies that come with vulnerability management and software development being independent, unintegrated workflows.

Any time new vulnerability findings are reported by the Synack Platform, it will also populate automatically within the associated Jira Project based on predefined configurations and field mappings. Anytime you make a status update on the Synack Platform or on Jira, the change will be synched to both platforms, allowing your security and development teams to see the same information concurrently and to track progress until the issue has been fixed. 

Finally, security comments are synched to the Jira project so that all participants in the SDLC have access to the finding details, even if they don’t have direct access to security tools. Armed with real-time security findings your agile team can make course corrections immediately, before the problems compound and escalate.

Mapping between status changes in Synack and Jira

You can access Synack’s App for Jira in a free, simple, and easy way. It’s a plug-and-play App that seamlessly installs on your existing Jira subscription and can be configured to work with your Synack Platform subscription within a matter of minutes. The Synack App for Jira is supported for on-premise (server and data center) and cloud instances of Jira.

For more information, see the Atlassian marketplace listing or read our solution brief. Contact our tech alliance team for further information technologypartners@synack.com. 

The post Making Security Testing Part of Your Agile Software Development Life Cycle appeared first on Synack.

ServiceNow, a leading provider of management tools for security and IT operations, has joined forces with Synack to help Security Operations Center (SOC) operators spot and correct gaps in vulnerability detection and protection.

Enterprises rely on ServiceNow to monitor, manage and respond to security incidents from across their hybrid infrastructure. By cohesively gathering, correlating and remediating incidents originating from their wide spectrum of security defenses, ServiceNow improves an enterprises’ SOC workflows, efficiency and effectiveness.

Although a SOC’s defenses, led by their ServiceNow implementation, can be best-in-class, they are, by nature, reactive to vulnerabilities and breach attempts as they occur. Offensive security testing allows an enterprise to proactively evaluate effectiveness and proper configuration of security defenses and spot and correct gaps in vulnerability detection and protection before actual attacks occur.

Traditional approaches to security testing include yearly compliance audits and pentests which, while necessary, are not dynamic enough to test defenses against new vulnerabilities that may surface at any time. At the same time, requiring SOC staff to proactively test security defenses on a continuous basis has historically been impractical and too costly.

To address this challenge, Synack’s Premier Security Testing Platform leverages the power of our automated smart scanning combined with human triage and pentesting by the Synack Red Team (SRT). The SRT is our expert, vetted community of 1,500+ security researchers available on demand to test against new exploits. Using Synack testing, SOCs receive confirmed reports of exploitable vulnerabilities along with recommendations for remediation.

Synack’s certified integration with ServiceNow Vulnerability Response Management allows enterprises to manage exploitable vulnerabilities discovered by Synack as part of their established workflows and processes in ServiceNow. Using the Synack integration, the entire lifecycle of offensive testing and security gap remediation is managed from within ServiceNow, streamlining SOC efficiency and responsiveness to emerging threats.

The addition of Synack to ServiceNow offers the following capabilities:

• Enables 24x7x365 testing of network and application assets monitored by a SOC team.
• Proactively tests security controls, with continuous adversarial testing against new vulnerabilities.
• Combines smart and automated scanning with human intelligence for thorough analysis of exploitable vulnerabilities.
• Scalable, on-demand testing via the SRT.
• Automated testing, combined with human triage, greatly reduces SOC alert noise and false positives.
• Identify sources of critical risk to prioritize assets for deeper penetration testing and targeted SOC remediation efforts.
• Attacker resistance score to quantify risk on an organization and asset-by-asset basis.
• Integrated management of testing, findings, and patch verification.
• Detailed reports and recommendations concerning exploitable vulnerabilities, triaged by the SRT and Synack Operations.

How Synack complements and optimizes a ServiceNow-managed SOC:

• Synack findings are integrated with the SOC’s ServiceNow tools and processes to ensure coordinated workflow.
• Efficiently blends the benefits of full time in-house or dedicated SOC resources with the diverse perspectives of a team of vetted security testing talent to meet surges in demand.
• Allows SOC operators and analysts to identify gaps in security detection and prevention capabilities, and through re-testing by SRT, prove that their SOC remediation efforts are successful.
• Provides a manageable and repeatable security testing process to facilitate continuous posture improvement.

To learn more about the ServiceNow and Synack partnership, visit our ServiceNow partner page.

The post Optimize Your SOC with ServiceNow and Synack appeared first on Synack.

In the cyber realm, organizations are often running their defensive and offensive security operations with little coordination.

Defensive security techniques, such as firewalls, endpoint detection and response, network access control, intrusion prevention and security information event management, detect and stop attackers. While offensive security offers a way to test the effectiveness of cyber defenses, including techniques and tools such as red teaming, penetration testing, vulnerability assessments and digital reconnaissance. Too often organizations focus on defensive security and not enough on offensive security testing.

Red Team vs. Blue Team

By design, security offense and defense teams work separately, with the red team or pentesters probing the attack surface looking for weaknesses, much like malicious hackers might. Without consistent and frequent communication between the two, the defense won’t know where to make improvements.

Security Operations Centers (SOC) focus on defensive cybersecurity. SOCs use many defensive security tools, as such they need a single pane of glass to view and correlate the data points coming from each source. Splunk Enterprise and Splunk Cloud (Splunk) are data platforms at the center of security operations that provide insights across disparate data streams to achieve end-to-end visibility for SOCs. Often missing are the results of offensive security testing into the SOC’s single pane of glass.

To combine offensive security data, Synack offers an add-on app for Splunk, allowing the SOC to view, correlate and receive alerts for the results of offensive security tests and recommended fixes to their defensive security in real time.

When information about security flaws isn’t accessible by the SOC, vulnerabilities and exploits uncovered by offensive security testing are reviewed only occasionally (e.g. in conjunction with periodic events such as yearly security compliance audits). New types of threats appear daily, so an occasional review isn’t sufficient to maintain good security posture. However, given the opportunity, Splunk’s architecture can ingest dynamic offensive security testing results and make such results actionable by security leaders.

An organization’s defenses can, and should, be tested against the latest security threats, not just the ones needed to pass a yearly compliance audit.

The Synack Integration with Splunk

Synack helps address these challenges by offering a premier security testing platform, supported by an expert, vetted community of security researchers who run continuous vulnerability assessments and deliver on-demand pentesting as new exploits emerge. The Synack Red Team (SRT)—1,500+ members strong—allows customers to take advantage of a diverse and instantly scalable security talent pool without the overhead of static headcount to accommodate surges in testing demand. Customers get offensive security testing 365 days a year with actionable reports to empower them to tackle new risks as they occur.

The Synack integration with Splunk uncovers exploitable vulnerabilities that can be correlated with network traffic, logs and other data collected by Splunk to recommend more effective security policies and rules on defensive tools (e.g. intrusion prevention systems and web application firewalls). Progress to harden an organization’s attack surface can be made by reviewing results, verifying recommendations and patching fixes (which can be verified by the SRT). The integration automates this process by facilitating continual improvement in security posture.

With the integration between Synack and Splunk, organizations can seamlessly coordinate offensive security into their SOC, enabling continuous defensive improvement in cyber security posture and protection. Splunk and Synack help all your team members work from the same playbook. 

To learn more about Synack’s premier security testing please visit our website, to learn about Splunk see their site and to access the Synack Integration with Spunk please visit the Splunkbase.

The post Splunk and Synack Partner to Bring Both a Defense and Offensive Strategy appeared first on Synack.