Several key Bitcoin metrics are beginning to exhibit bullish action once again alongside the renewed upward traction in the asset’s price. With this kind of trend that points to growing momentum, the crypto king appears to be gearing up for a pivotal shift driven by newfound appetite from investors.

A Key Market Shift Unfolding For Bitcoin

Bitcoin has experienced a rebound as the crypto landscape turns bullish again, sending its price back above the $90,000 mark. Following the bounce on Wednesday, the BTC market appears to have reached a critical junction as it hints at an impending shift in the current trend.

Delving into the market performance, Darkfost, an author at CryptoQuant and market expert, has outlined the key driver behind the unfolding shift. In the research shared on the X platform, the expert revealed that the market today is heavily driven by derivatives. In addition to the derivatives-driven market, 2025 has been the most speculative year Bitcoin has ever seen in its existence.

Another key driver highlighted by the market expert is the actions of investors in the United States and the renewed demand at the institutional level. Darkfost’s research hinges on a critical Bitcoin metric, one that shows the average evolution of the Coinbase Premium Gap in the monthly timeframe and the Spot Bitcoin Exchange-Traded Funds (ETFs) netflows.

Specifically, this metric is the Bitcoin ETF – Netflow USD Vs. Coinbase Premium. It is worth noting that the Coinbase Premium Gap calculates the pricing difference between Coinbase Pro and Binance. This helps illustrate the behavior of different groups of investors. While Coinbase Pro is typically used by institutions and whales, Binance, which has the largest volume, is available to everyone.

The Coinbase Premium Gap decreased from +$109 to -$40 since October 16, when Bitcoin was valued at almost $113,000. Such a drop suggests that institutional investors sharply decreased their positions. 

BTC ETFs Netflows Impact On The Market

Interestingly, the trend was also observed in ETF netflows, which also flipped negative. During the period, BTC fell from $113,000 to $80,000, reflecting how much the US and institutional demand influence the market. 

As seen in the past, large negative swings have frequently indicated market bottoms, provided that the trend thereafter begins to turn. A trend of this kind is what is playing out in the market today.

However, current data reveals that the Coinbase Premium Gap has bounced back to -$13 while the average ETF netflow is valued at around -$100 million. This comeback in both sectors indicates that in the near term, the situation seems to be improving, and BTC’s price is reacting appropriately to the crucial shift. 

As a result, Darkfost predicts that a new all-time high for BTC may happen quickly if this pattern continues in the long run. The ongoing shift may be subtle, but it is noticeable as the market appears to be preparing for a phase that might largely change the course of Bitcoin.

Cloud SLAs often fall short of enterprise needs. Learn how CISOs can assess, mitigate and manage SLA gaps using risk frameworks, compensating controls and multi-provider strategies.

The post How to Manage Cloud Provider Risk and SLA Gaps  appeared first on Security Boulevard.

Bitcoin is showing new signs of strength after its sharp decline, with buyers stepping back in and momentum shifting upward. With price reclaiming key support levels, the path toward the major $98,000 imbalance zone is now back on the table, but bulls still need to prove this rebound has real conviction.

FVG Filled, Bearish OB Tagged — What Comes After The Perfect Hit?

Crypto analyst Crypto Patel, in a recent market update, noted that Bitcoin has now completed a key technical move by filling the Fair Value Gap (FVG) and tapping directly into the Bearish Order Block exactly as previously projected. He emphasized that traders who avoided shorting the $81,000–$85,000 region and instead positioned for the upside likely captured a clean and predictable long setup.

With that phase now complete, the focus shifts to Bitcoin’s next major target. Patel highlights the $96,800–$98,000 FVG as the upcoming high-timeframe imbalance zone. From a broader perspective, Patel still expects Bitcoin to make a move toward the $98,000 zone before any significant corrective leg unfolds. This aligns with his macro outlook, which continues to favor a final upward sweep into that region before momentum weakens again.

However, he also outlines a clear invalidation point for the bearish bias. A sustained high-timeframe close above $107,550 would negate the existing bearish market structure entirely. Such a breakout would signal the start of a new bullish phase for Bitcoin, potentially setting the stage for a fresh all-time-high trend. 

Promising Bounce As BTC Defends the $90,000 Support Zone

According to The Boss, Bitcoin’s latest price action is showing early signs of strength. After the sharp decline, BTC reacted firmly at the local support and managed to push back above the $90,000 level, indicating that buyers are stepping in with renewed confidence. The chart now reflects a stable support zone that has held up against downward pressure.

Part of this rebound appears to be driven by improving macro sentiment. Softer expectations around Federal Reserve tightening, a rise in overall risk appetite, and a shift back toward risk-on assets are all contributing to Bitcoin’s recovery attempt. 

From a technical perspective, The Boss notes that Bitcoin must continue to hold above the $90,000–$91,000 range to form a meaningful upward wave from this base. However, caution is still warranted. Without clear confirmation from momentum indicators and sustained trading volume, the current move has the potential to be limited. The possibility of a dead-cat bounce remains on the table, especially following such an aggressive sell-off.

If you want to protect a system from being hacked, a great way to do that is with an airgap. This term specifically refers to keeping a system off any sort of network or external connection — there is literally air in between it and other systems. Of course, this can be limiting if you want to monitor or export logs from such systems. [Nelop Systems] decided to whip up a simple workaround for this issue, creating a bespoke one-way data extraction method.

The concept is demonstrated with a pair of Raspberry Pi computers. One is hooked up to critical industrial control systems, and is airgapped to protect it against outside intruders. It’s fitted with an optocoupler, with a UART hooked up to the LED side of the device. The other side of the optocoupler is hooked up to another Raspberry Pi, which is itself on a network and handles monitoring and logging duties.

This method creates a reliable one-way transmission method from the airgapped machine to the outside world, without allowing data to flow in the other direction. Indeed, there is no direct electrical connection at all, since the data is passing through the optocoupler, which provides isolation between the two computers. Security aficionados will argue that the machine is no longer really airgapped because there is some connection between it and the outside world. Regardless, it would be hard to gain any sort of access through the one-way optocoupler connection. If you can conceive of a way that would work, drop it down in the comments.

Optocouplers are very useful things; we’ve seen them used and abused for all sorts of different applications. If you’ve found some nifty use for these simple parts, be sure to drop us a line!

Power vs Practicality in Crypto Automation 

ShinyHunters and its affiliate hackers have leaked data from 6 firms, including Qantas and Vietnam Airlines, after claiming to breach 39 companies via a Salesforce vulnerability.

Cybersecurity officers tasked with finding and mitigating vulnerabilities in government organizations are already operating at capacity—and it’s not getting any easier.

First, the constant push for fast paced, develop-test-deploy cycles continuously introduces risk of new vulnerabilities. Then there are changes in mission at the agency level, plus competing priorities to develop while simultaneously trying to secure everything (heard of DevSecOps?). Without additional capacity, it’s difficult to find exploitable critical vulnerabilities, remediate at scale and execute human-led offensive testing of the entire attack surface. 

The traditional remedy for increased security demands has been to increase penetration testing in the tried and true fashion: hire a consulting firm or a single (and usually junior) FTE to pentest the assets that are glaring red. That method worked for most agencies, through 2007 anyway. In 2022, however, traditional methodology isn’t realistic. It doesn’t address the ongoing deficiencies in security testing capacity or capability. It’s also too slow and doesn’t scale for government agencies.

So in the face of an acute cybersecurity talent shortage, what’s a mission leader’s best option if they want to improve and expand their cybersecurity testing program, discover and mitigate vulnerabilities rapidly, and incorporate findings into their overall intelligence collection management framework? 

Security leaders should ask themselves the following questions as they look to scale their offensive and vulnerability intelligence programs:

• Do we have continuous oversight into which assets are being tested, where and how much? 
• Are we assessing vulnerabilities based on the Cybersecurity Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, or are we assessing vulnerabilities using the Common Vulnerability Scoring System (CVSS) calculator? 
• Are we operationalizing penetration test results by integrating them into our SIEM/SOAR and security ops workflow, so we can visualize the big picture of vulnerabilities across our various assets? 
• Are we prioritizing and mitigating the most critical vulnerabilities to our mission expediently? 

There is a way to kick-start a better security testing experience—in a FedRAMP Moderate environment with a diverse community of security researchers that provide scale to support the largest of directorates with global footprints. The Synack Platform pairs the talents of the Synack Red Team, a group of elite bug hunters, with continuous scanning and reporting capabilities.

Together, this pairing empowers cybersecurity officers to know what’s being tested, where it’s happening, and how much testing is being done with vulnerability intelligence. Correlated with publicly available information (PAI) and threat intelligence feeds, the blend of insights can further enhance an agency’s offensive cybersecurity stance and improve risk reduction efforts.

Synack helps government agencies mitigate cybersecurity hiring hurdles and the talent gap by delivering the offensive workforce needed quickly and at scale to ensure compliance and reduce risk. And we’re trusted by dozens of government agencies. By adding Synack Red Team mission findings into workflows for vulnerability assessment, security operations teams are given the vulnerability data needed to make faster and more informed decisions.

Intrigued? Let’s set up an intelligent demo. If you’re attending the Intelligence & National Security Summit at the Gaylord in National Harbor, Md., next week, we’ll be there attending sessions and chatting with officers at Kiosk 124. We hope to see you there! 

Luke Luckett is Senior Product Marketing Manager at Synack.

The post Accelerated Decision-making in Cybersecurity Requires Actionable Vulnerability Intelligence appeared first on Synack.

Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule. 

Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team. 

If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first. 

Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not. 

If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.

This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate. 

If you want to improve the security of your software and app development, here are some tips from Synack customers: 

• Highlight only the most critical vulns to the dev team. The development team has time only to address what’s most important. Sorting through an endless list of vulns that might never be exploited won’t work. Synack delivers vulnerabilities that matter by incentivizing our researchers to focus on finding severe vulnerabilities.

• Don’t shame, celebrate. Mistakes are inevitable. Instead of shaming or blaming the development team for a security flaw, cheer on the wins. Finding and fixing vulnerabilities before an update is released is a cause for celebration. Working together to protect the company’s reputation and your customers’ data is the shared goal. 

• Embrace the pace. CI/CD isn’t going away and the key to deploying more secure apps and software is to find ways to work with developers. When vulns are found to be fixed, document the process for next time. And if there’s enough time, try testing for specific, relevant CVEs. Synack Red Team (SRT) members document their path to finding and exploiting vulnerabilities and can verify patches were implemented successfully. SRT security researchers can also test as narrow or broad a scope as you’d like with Synack’s testing offerings and catalog of specific checks, such as CVE and zero day checks.

Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.

The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.

Government agencies and public sector organizations have often struggled to compete with private companies for talent, a struggle only exacerbated by the COVID pandemic. A recent  Bureau of Labor Statistics report found that about half of government jobs in the U.S. remain unfilled compared to pre-pandemic numbers. 

This creates an even tighter squeeze on the already spent cybersecurity workforce; the White House reported a staggering 700,000 open cybersecurity roles in the U.S. The public sector continues to battle smaller budgets and fewer technical resources, while the challenge to protect the attack surface and anticipate new vulnerabilities becomes increasingly complex. 

Public-private partnerships can alleviate the pressure felt by the public sector globally by infusing top-tier talent into critical cybersecurity operations and providing consistent, readily available technology and support.

Government and public sector organizations are charged with keeping a country’s digital borders safe and secure. They’re needed to help keep the lights on, along with a myriad of other critical functions. To do that, organizations routinely test the health of their cybersecurity defenses. But are they getting the results and insight to keep up with today’s sophisticated cyber adversaries?  

Stale security practices keep public sector organizations in the past at a time when they need partners to help them operate on par with private companies.

Penetration testing, otherwise known as pentesting, is a technology that is fortunately evolving for the better.

Gone are the days of two people on-site with two laptops who take weeks to deliver a point-in-time report with few actionable insights. 

Here’s what modern pentesting can look like: a continuous process to sniff out critical vulnerabilities as they’re known, actionable results built into a seamless platform, and an ability to scale to respond to critical vulnerabilities like Log4j.   

The choice between outdated security testing and an agile, responsive pentesting solution to tackle a nation’s most pressing cybersecurity concerns is obvious. Synack provides premier security testing to keep public sector organizations at the top of their game, reducing risk while helping to keep critical data and infrastructure out of adversaries’ hands. Our innovative pentesting solution utilizes the Synack Red Team, a diverse community of more than 1,500 security researchers, and our secure platform to dig deep into web applications, cloud resources and other attack surfaces to find the vulnerabilities that matter most.  

Our recent whitepaper, “Government Agencies Deserve a Better Way to Pentest,” lays out the challenge with traditional pentesting and how public sector organizations can respond with maximum efficiency and limited budget. 

For U.S. government agencies

For U.K. public sector organisations 

The post No Time to Waste: Why the Public Sector Needs a Better Way to Pentest appeared first on Synack.

Charlie Waterhouse is a senior security analyst at Synack.

One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices. 

Traditional Hiring Methods Might Screen Out the Best Candidates

If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position. 

These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable. 

I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization. 

Education and Investing in Employee Skills

There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.

The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.

I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments. 

Evaluating What Skills Are Needed in Full-Time Roles

Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?

Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right. 

Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization. 

It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap

At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option. 

The post Bridging The Cyber Talent Gap: Removing Barriers for Nontraditional Talent appeared first on Synack.

By Kim Crawley

The Synack Red Team is made up of hundreds of the best pentesters and tech practitioners in the world, hailing from countries across the globe with a variety of skills, who coordinate their efforts to conduct pentesting engagements and other security tests for Synack’s clientele. 

When a large group of ethical hackers work together, they can find more exploits and vulnerabilities than traditional pentesting, which usually consists of two people with two laptops who conduct on-site testing over two weeks. 

But when you have security researchers working as a collective, they are smarter, more adept and more creative. As cyber threats become increasingly sophisticated, the Synack Red Team (SRT) has the advantage of a diverse and holistic talent pool to take on the challenge. 

Not only do the SRT bring a fresh perspective to pentesting, SRT members also help alleviate the widely felt skills gap in cybersecurity. 

>> For an in-depth look at the SRT’s diversity of skills, read our white paper “Solving the Cyber Talent Gap with Diverse Expertise.” 

Whether you’re looking to take your organization’s security testing to the next level or a curious thinker who aspires to have a pentesting career, SRT members gave useful advice and explained how it all works. 

SRT Reduces Noise

Özgür Alp, from Turkey, had a lot of pentesting experience prior to joining the SRT, but working with the growing community of 1,500 security researchers taught him the power of collaboration at scale. 

“When I started at Synack, I had four years of experience as a pentester in a multi-global company,” Alp said. “After joining Synack and working as a full-time SRT member, I see that here we are focusing not only on the theoretical bugs but also trying to find the critical ones that matter and are exploitable within the real world scenarios.”

The gamification of vulnerability finding that happens on the researcher side of the platform means that you get their full attention and focus on finding vulnerabilities that matter. The more critical the vulnerability, the higher the payouts and recognition Synack rewards them with.

“I’m starting to focus on more complex scenarios, since you have time to work for that. For example, I actually learn what a theoretical bug could really mean in terms of business impact,” Alp said.

Applying Prior Cyber Knowledge and Experience 

Emily Liu, like many SRT members, works on the Synack platform part-time. Many SRT already work in a cybersecurity role and use the opportunity to apply the knowledge they’ve learned from their day-time job to their Synack role and vice-versa. 

“It sharpens my skills by allowing me to practice finding different vulnerabilities on real targets,” Liu said. “The whole process of doing work for SRT has taught me to think more creatively and to be more persistent, because you can find bounties so long as you put in the effort.”

But the work of the SRT can only be done with an “adversarial” perspective, from the outside-in. Büşra Turak explained the difference between being an SRT member and an employee or in-house consultant. 

“It is usually enough to show the existence of a finding in consultancy firms that provide pentest services. But we don’t do that here,” she said. “We show how much we can increase the impact of the finding or we need to show how the vulnerability is exploited.”

Taking the “Red Team” to the Next Level

In terms of bug bounties, red teaming and pentesting, Synack’s formula for vetting, monitoring and developing its SRT members puts them in another class of security researcher. SRT members are good at what they do from the start, and they’re also given immediate feedback for continuous improvement.

SRT member Nikhil Srivastava talked about what working with SRT has taught him.

“Initially, my reports were not up to the mark when I had just got into bug bounties. It was sent back to me multiple times for revision,” he said. “But, with the introduction of the Synack Quality Rule, we had to keep challenging ourselves with each new target launch—not only to find vulnerabilities but also to write a quality report that stands out from reports of other SRT members and is clearly understood by the clients. This helped me in leveling up.”

No matter if you’re able to get into the weeds of every vulnerability, a Synack report will thoroughly explain the potential exploit. 

“I started reporting vulnerabilities that could precisely illustrate the impact even to a non-technical person and could be easily replicated by them,” Srivastava said.

If you’re curious about what it takes to join the Synack Red Team, start your journey here. To better understand how the SRT can solve your struggle with the cyber talent gap, read our latest white paper.

The post How the 1,500+ Synack Red Team Members Solve Your Most Critical Cybersecurity Vulnerabilities appeared first on Synack.

This morning, Synack gathered a distinguished panel of women in cybersecurity to share their perspectives on the cybersecurity talent gap and offer lessons for supporting the next generation of women leaders.

Men still outnumber women by three to one in the cybersecurity industry, according to a recent (ISC)² report, despite evidence that a more diverse workforce drives better business and security outcomes. While executives at many organizations have acknowledged the problem, they’ve often struggled to find actionable solutions to address this talent gap.

At Fogo de Chão, steps away from the RSA Conference in San Francisco, Synack hosted Kiersten Todt, Chief of Staff at the U.S. Cybersecurity and Infrastructure Security Agency; Betsy Wille, Chief Information Security Officer, Abbott; Tiffany Gates, Senior Managing Director for the National Security Portfolio at Accenture Federal Services; and Edna Conway, VP, Security and Risk Officer, Azure Hardware Systems and Infrastructure at Microsoft, for an intimate conversation moderated by Jill Aitoro, SVP of Content Strategy at the CyberRisk Alliance.

Among the insights from the panel: It’s one thing to hire top talent, it’s another to make women feel like they belong at an organization. And security leaders will need to shake things up to meet aggressive goals like CISA’s plan to have women represent 50% of the agency’s work force by 2030, up from about 36% now.

“We have to be ambitious. We have to be disruptive, because the only way we’re going to get there is by undoing some of the things we’ve done today,” Todt said.

Other key takeaways from Synack’s Celebrating Women in Cyber Breakfast:

Start early

 “We need to be bringing this terminology, this language, to kids in elementary school,” Todt said. “We have to surround them with this field so that they’re able to pull these factors in and grow up with it, so when they’re in high school, they can see the interest they have in these areas.”

Educational institutions will have to move fast to meet the talent needs of a rapidly evolving sector like cybersecurity.  

“I do think there’s a huge opportunity to grow this field much more substantively than we have, because it actually encompasses everything that we do,” Todt said. “There is no greater field that should truly represent the planet.”

Empower advocates

Gates of Accenture, who described herself as “terrible” with numbers, reached out to mentors in a range of fields while forging her own career path.

“Don’t flop toward someone who is just like you,” she said. “I want to be mentored by someone who was in the finance shop, just to better understand the kinds of obstacles and challenges they were dealing with.”

Conway, who said she’s currently a mentor to 14 people, pointed out that advocates like her “need to listen more than we speak, because each of our colleagues comes to the table with something different.”

Build a different kind of pipeline

Heavy turnover in the cybersecurity field has opened important conversations on alternative hiring pipelines, said Wille of Abbott. “We’re in better company than maybe we were a couple years ago in pushing the idea that the traditional means of education are not going to be the only places we can look. We’ve seen that improve,” she said.

Wille pointed out that a few months after starting work at Abbott, she was able to onboard someone who showed initiative but had no college degree on file because the company had enabled that level of hire. The employee has since been promoted, and Wille said she would “hire 10” just like her if she could.

Still, challenges persist in areas like security clearances, which can be integral to a federal cybersecurity career but trip up many candidates.

“When we talk about how hard it is to find women that we can bring in, now take 20% of that available pool,” Gates said. “That is what I have to work with, because the number of cleared resources in this community just decimates the number of women that I have available to choose from.”

Commit to learning

 “Talent doesn’t come in one container, it doesn’t come with one linear trajectory,” Todt said. “We have to do a better job opening up the aperture.”

Poorly written or overly demanding job descriptions can turn away prospective candidates at the front door. Instilling the courage to apply in the first place is key, but that’s not the end of the story.

“It’s not just to have confidence, but quite frankly to step up and be willing to do the work to figure out what you need to learn and go learn it,” said Conway, who pointed out that she has a degree in medieval renaissance literature but built her career in tech by continuously asking questions. “The burden falls on each and every one of us… Reach out, pull up, help, kick in the derriere when needed and do it with care, do it with humility, and you’ll be amazed what happens. We are a powerful force together: Never forget that.”

For more information about how Synack is tackling the cybersecurity talent gap, check out our white paper “Solving the Cyber Talent Gap with Diverse Expertise.”

The post Building a Bigger Tent in Cybersecurity: Lessons from Synack’s Celebrating Women in Cyber Breakfast appeared first on Synack.

Synack works with innovative government security leaders who are responsible for protecting their organizations by finding and remediating exploitable vulnerabilities before they can be used by an attacker. In this effort we have formed trusted partnerships with federal agencies and their consultants, helping them to achieve mission-critical goals safely. Synack has worked with more than 30 federal agencies to quickly identify known and unknown vulnerabilities before attackers can take advantage of them. And Synack has received Moderate “In Process” status from the Federal Risk and Authorization and Management Program (FedRAMP) underscoring Synack’s commitment to stringent data and compliance standards. This work is especially important in light of President Biden’s recent cybersecurity memorandum laying out steps that federal agencies need to take to protect the nation’s critical assets – its networks and data.

An example of such recent and essential work brings us back to December 12, 2021, when the U.S. Department of Homeland Security (DHS) issued a warning about the Log4j vulnerability. Federal agencies were required to identify if they had the vulnerability and remediate it by December 24th. The challenge for agencies trying to find this vulnerability was that the effort could take weeks. Synack’s SWAT team was able to identify vulnerability (and variants) in a matter of hours for agencies. Without Synack, this could have taken days or weeks to find. One Synack federal customer was able to successfully test more than 520 active hosts and 200 in a 24-hour period for this critical vulnerability. 

Accenture Federal Services (Accenture) is a premier consultant to cabinet-level federal agencies, providing end-to-end cybersecurity services and skilled professionals to help agencies innovate safely and build cyber resilience. In partnering with Synack, Accenture brings to bear the power and speed of the Synack platform to help federal agencies be more proactive with their cybersecurity practices. Working together, Synack and Accenture are delivering innovative solutions, including continuous security testing, which empowers agencies to quickly detect and remediate vulnerabilities before they can be exploited. Synack’s comprehensive security testing complements Accenture’s hands-on consultative engagements support agencies integrating security into their organization.

Proactive components of security programs are so critical and yet often hard to perform at scale, primarily due to the cyber talent gap. Together, Accenture and Synack are successfully building proactive measures into agency-wide security programs with clear impact and staying power. We are regularly delivering on unprecedented find-to-fix vulnerability cycles, Vulnerability Disclosure Programs VDP (BoD 20-01), and testing in pre-production environments. 

The Power of Synack & Accenture Federal Enables Security Teams for On-Demand Security Testing

• Penetration testing at scale
• Nimble responsiveness to time-sensitive customer needs
• Continuous security posture testing
• Evaluation of high-value assets and testing of internal, external, and cloud assets
• Policy and compliance audits

The Synack/Accenture  partnership is a strong example of how Synack can provide a higher level of pentesting and security evaluation to government customers with varying levels of security expertise. In-house pentesting is difficult to scale, but Synack’s community of the world’s most skilled and trusted ethical researchers delivers effective, efficient, and actionable security testing on-demand and at scale, allowing security teams to focus on the vulnerabilities that matter most.

The post Synack and Accenture—Working Together to Protect the Nation’s Critical Assets appeared first on Synack.

By Dan Mulvey, Regional Vice President, Federal

Enabling Continuous Penetration Testing at Scale for Federal Agencies 

Synack has paved the way as a trusted leader in Cybersecurity testing and vulnerability disclosure management. Now, Synack is raising the bar even higher by achieving the FedRAMP Moderate “In Process” milestone, helping to make federal data secure. Synack’s sponsoring agency for FedRAMP is the U.S. Department of Health & Human Services (HHS). Synack’s Discover, Certify, Synack365 and Synack Campaigns offerings are now available on the FedRAMP Marketplace. 

 

FedRAMP and Synack 

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and monitoring for cloud services. As part of its FedRAMP designation, Synack will be implementing 325 controls across 17 NIST 800-53 control families. Not only will this greatly enhance current protections for federal customer data, but it will also provide assurance to all our customers that Synack is reducing risk and providing government-grade data privacy protections. 

 

The Growing Importance of Security Testing

Organizations spend on average $1.3M per year on erroneous or inaccurate alerts, and sadly, while the average company gets 1 million alerts per year, only 4% are ever investigated. During a time when attacks are at an all-time high, it’s more important than ever to have security protections in place with results you can trust. Synack’s new FedRAMP Moderate “In Process” designation underlines the company’s commitment to providing a high level of security across the board and quality results, speeding vulnerability management efforts and reducing risks to government assets. 

Federal agencies have already been engaged with crowdsourced security testing solutions since such solutions were endorsed by the 2020 National Defense Authorization Act (NDAA), the National Cyber Strategy, and the Cybersecurity and Infrastructure Agency Binding Operational Directive (BOD) 20-01. Notably, as part of BOD 20-01, agencies are now required to develop vulnerability disclosure programs (VDPs). 

 

The 5 Benefits of Synack FedRAMP for Federal Agencies

Through partnering with Synack and leveraging Synack’s FedRAMP Moderate “In Process” designation, agencies can be reassured that their data is in safe hands. Synack will now provide the following benefits to federal agencies:

• Easy and quick procurement: Saves agencies time, 30 percent or more of costs, and effort by allowing them to leverage the existing assessments and authorization under FedRAMP.

• Risk mitigation: A security assessment at the Moderate level contains 3x the security controls in an ISO 27001 certification. These protections provide assurance that Synack is handling your data and the pentesting process with extra care. 
• FISMA compliance: Agencies are required to maintain FISMA compliance and FedRAMP provides a more affordable path to FISMA compliance. Many of the NIST 800-53 controls in FedRAMP overlap with those in FISMA, which means you don’t have to spend extra resources implementing these controls with vendors during an annual audit.
• Data security: Unlike FedRAMP LI-SaaS, FedRAMP Moderate is designed for agencies handling both external and internal applications. Additionally, if an agency works with sensitive data, they should be working with providers at the Moderate level. 
• Continuous monitoring: In order to comply with FedRAMP, agencies and software providers must continuously monitor certain controls and go through an annual assessment, which ensures they are always working with a fully-compliant testing provider.

 

Why the FedRAMP Designation Matters

Synack is the only crowdsourced security company that has achieved the “In Process” status at the Moderate level. FedRAMP levels vary across the number of controls required, the sensitivity of the information, and the network access for government applications. Cloud service providers (CSPs) are granted authorizations at four impact levels: LI-SaaS (Low Impact Software-as-a-Service), Low, Moderate and High. 

The stark difference in the control required is particularly apparent when you compare each of the 17 NIST 800-53 control families side by side. There are drastically more requirements for certain control families like access control, identification and authentication, and system and information integrity. These additional controls that Synack is adhering to ensure that your government assets—whether external or internal—stay secure. 

If you’d like to learn more about Synack’s FedRAMP environment or solutions for your Federal SOC, click here to book a meeting with a Synack representative.

The post Synack Achieves FedRAMP Moderate In Process Milestone appeared first on Synack.

From the SolarWinds Orion hack to the Kaseya ransomware attack, recent incidents have proven that a single vulnerability in a company’s product or supply chain can have a massive business and brand impact—potentially even posing a national security threat. Security leaders are under more pressure than ever to improve the speed, efficiency, and effectiveness of their incident response. 

To help investigate how security leaders on the front lines are handling the challenge, Synack sat down with Justin Anderson, Head of Vulnerability Management at LinkedIn, for a talk entitled, “Best Practices for Fast & Effective Vulnerability Management” on Dec. 8, 2021. Justin has years of technical experience in a wide range of contexts from the U.S. Air Force to LinkedIn, giving him a unique perspective that’s valuable for any executive or security leader dealing with vulnerability management issues. He spoke alongside Synack Product Analyst, Charlie Waterhouse. Charlie has years of experience conceptualizing security test methodologies that address vulnerability management concerns. 

In fact, many of the problems that Justin has addressed in his role are similar to those Synack is looking to solve with its Campaigns product offering. Read on to learn more!

 

No. 1: Use Human Talent and Time Wisely 

As security leaders build out their teams, the cyber talent gap continues to be a significant hurdle. The Biden administration has recognized a need to fill 600,000 cybersecurity jobs.  Additionally, engineering talent, especially in Silicon Valley, is expensive and in incredibly high demand. 

As a security leader, it does not make sense to hire specialized, in-house security talent. Synack supplies researchers with a variety of skill sets combined with a catalog of on-demand security products that can reduce a team’s workload from months to hours or days. Synack’s researchers’ expertise spans cloud environments such as AWS, Azure and GCP to APIs and mobile applications. Whether security teams are testing for compliance, M&A or a new product launch, Synack’s “App Store”-like experience provides a flexible array of on-demand testing and tasks, with many serving established security frameworks like OWASP Top 10 and NIST 800-53.

 

No. 2: Balance User Needs and Security 

In the words of Charlie Waterhouse, Security Analyst at Synack, “There is some internal tension between security and user experience.” Security is increasingly part of the development process, but when does it start to hinder instead of help growth? Justin from LinkedIn added, “We live in a world where we don’t have fantastic metrics on risk reduction. We also lack metrics on user experience. Security can be a greater threat than any attacker could be. An opaque and lengthy process can slow down an entire business.”

Synack has taken this into account by providing Synack Campaigns such as those based on the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). The three levels of ASVS Campaigns provide flexibility, so security teams can decide the level of security they need based on whether or not the application provides access to sensitive data. 

 

No. 3: Prioritize Across a Growing List of Vulnerabilities and Risks—Don’t Panic

Security teams face a rapidly growing attack surface. The key to managing it is maintaining a balance between addressing tech debt and responding to new threats. 

The first priority is often taking an inventory of the assets and cleaning up “tech debt.” Regularly updating software has never been more important. To go a step further and try to prioritize, Justin recommends compliance scoring. “A higher critical vulnerability should be the priority. We don’t go into the nuance of how this particular vulnerability may have an exploit. An exploit is likely to develop soon, but we try to get in the habit of regular cycle updates.”

Another priority may come from rapid response to news events such as the recent Apache Log4j vulnerability. This can distract security and IT teams—leading to panic. As Justin stated, “Sometimes, news cycles drive patching for things that are not that risky. As a security professional, it’s your job to explain why it’s not necessarily that risky and keep people from overreacting to something that’s not impactful. The other side of that is some vulnerabilities that have not been exploited, yet it seems like someone is going to find an exploit soon. The goal is to prevent any third-party attackers from getting access to the data.”

Synack offers checks for specific CVEs via Synack Campaigns. After researchers revealed the Log4j vulnerability, Synack responded immediately and provided an in-product check for the vulnerability in the form of a CVE Campaign. Within hours, Synack Researchers executed the Campaign, checking for the CVE, collaborating on the most efficient methods for detecting log4j, and providing customers with a risk assessment. Synack presents the information in a digestible, actionable way in order to save teams time and answer important questions via a report generated by running the Campaign. 

 

No. 4: Effectively Communicate Vulnerability Risks To Leadership Teams

The leadership in some organizations may be more tech-savvy than in others. That being said, one principle that holds true across all these interactions is that the best way to convey a message as a security leader is to become an expert on that specific vulnerability or security risk and its implications for your organization. 

Synack provides a reporting feature for Campaigns that compiles all the information necessary for leadership, legal, ops, or IT teams. The reports contain information like the severity of vulnerabilities found, whether certain task list items are “pass” or “fail,” evidence, and steps to reproduce findings. These reports are invaluable tools to communicate technical information to a non-technical audience, as well as for showing proof of work.

We hope that this information is useful for your organization as you consider different options. The cyber talent gap is only increasing. Security teams need on-demand solutions, automation, and specialized skills to address the growing workload. Vulnerability management leaders need products that improve security but not at the expense of user experience. There is a growing need to prioritize as vulnerabilities increase every year and attackers become more efficient. Lastly, security leaders need to fully immerse themselves in the nuance of new vulnerabilities and understand their potential impact. When security leaders communicate with executives, they should know the organization’s asset inventory, the extent of the vulnerability’s impact, and actions taken (or not taken) to mitigate its impact. All of these problems are front and center today for vulnerability management leaders, which is why we have developed a new product targeted at these pain points. 

If you are interested in learning more about Campaigns, check out our dedicated webpage, or request a demo. 

The post 4 Effective Vulnerability Management Tips for Security Leaders appeared first on Synack.

Testing for CVE-2021044228 (Log4j) with Synack

Since Friday, December 10, 2021, researchers from the Synack Red Team (SRT) have been solving customer needs related to CVE-2021-44228—the CVE that details a critical log4j vulnerability with wide-reaching implications across industries.

Responding to the Critical Vulnerability with Synack Testing

By 8 A.M. PST, when its magnitude and implications became clear to Synack operations, a new CVE entry was created in the Synack Platform to address CVE-2021-44228. Log4j immediately became available for customers to launch, long before most of the world read about the vulnerability in headlines and social feeds.

Synack CVE Checks connect an organization to SRT researchers capable of accomplishing specific security tasks. In this case, organizations can select CVE-2021-44228 within the Synack Platform and have a researcher check for the vulnerability on-demand.

Testing with the Best Researchers on the Planet

Over 30 SRT members assembled to cultivate ideas and improve the entire community’s efficiency and effectiveness. Together, they are bringing a diverse spectrum of perspectives from different backgrounds, ranging from military and government to academia and tech. This collaboration of top researchers allows Synack to improve the quality of testing for all customers with better processes, tools, and payloads.

The SRT often shares best practices within the community to help each other level up and make the entire internet safer. Compared to traditional testers or automated scanning tools, the SRT brings these sorts of advantages: human collaboration, diversity and creativity.

The Landscape of CVE-2021-44228 Across Industries

Since Friday morning, Synack has checked over half a million IP addresses across our customer base, confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. With a combination of human intelligence and automated tools, Synack is addressing the vulnerability at an unprecedented scale and pace.

Vulnerable instances span across countries and industries and exist both in the government and private sectors. The urgency of the vulnerability has not been overstated by news outlets and social media – Synack recommends that customers activate the CVE check as soon as possible.

Checking for CVE 2021-44228 On-Demand—The Advantages of Synack Campaigns

Since the weekend that followed the CVE’s publication, Synack customers have utilized the Synack Platform to activate hundreds of checks from researchers around the world.

Synack beats other models to the punch. Scanners do not yet have the vulnerability’s signature, traditional pentesting engagements take significant time to spin up, and other bug bounty models do not provide the immediacy or certainty of a vulnerability as this one requires. The model provides on-demand services relevant to CVEs today and prepares organizations for the next 0day like CVE-2021-44228. Reach out to a Synack representative today to explore existing CVE checks, as well as other offerings available in the Synack Catalog.

The CVE-2021-44228 testing provided by Synack provides immediate results and reporting. The researcher will provide a clear yes/no answer on an asset’s vulnerability status, as well as details about their methodology, screenshots, and general proof of work.

Activate the Synack CVE-2021-44228 Test Today

Reach out to your Synack representative to activate the CVE-2021-44228 test today. If you’re new to the Synack Platform, reach out to us here and learn how to get started with Synack’s on-demand security platform and pentesting.

Update: Synack was asked whether our systems are vulnerable to Log4j. Synack does not use Log4j and has determined that we are not vulnerable to exploitation. In response to increased attack traffic attempting to exploit the vulnerability, we have taken additional steps to block the malicious traffic accordingly.

The post Providing On-Demand Testing for CVE-2021-44228 (Log4j) with Synack Testing appeared first on Synack.

At Synack, we’re truly committed to making the world a safer place. We’re doing that by helping organizations defend themselves against an onslaught of cyberattacks. We’re harnessing the tremendous power of the Synack Red Team, our community of the most skilled and trusted ethical hackers in the world, and through the most-advanced security tools available today to deliver continuous penetration testing (and more) with actionable, prioritized results.

Now, the Synack Platform is expanding to help organizations globally overcome the worldwide cybersecurity talent gap. I am excited to announce the launch of Synack Campaigns to provide on-demand access to the SRT, who will be available 24/7 to execute specific and unique cybersecurity tasks whenever you need them — and deliver results within hours. This new approach to executing targeted security operations tasks will fundamentally change organizations’ approach to cybersecurity by providing on-demand access to this highly skilled community of security researchers.

During my time at Synack, I’ve seen firsthand how the Synack Operations and Customer Success teams creatively engage with the SRT to address a growing range of clients’ security operations tasks, in addition to our traditional vulnerability discovery and penetration testing services. 

Now, we are making these targeted security activities directly available to every organization in the form of Synack Campaigns, available through the new Synack Catalog, also launching today on the Synack Client Platform.

The new Synack Catalog, where customers can discover, configure, purchase and launch Synack Campaigns is available now on the Synack Client Portal. Please speak with your CSM to have this feature enabled for your organization.

I know from speaking to our clients across multiple industries that security teams are struggling to keep pace with the speed of product development. At the same time, they are trying to scale defenses to meet the complexity and magnitude of today’s threats. Our customers ascribe challenges with their growing backlog of security tasks such as CVE checks and cloud configuration reviews. On top of all of that, there’s the need to implement industry best-practice frameworks such as OWASP & Mitre Att&ck. Essentially, customer security teams are struggling with demanding workloads and have asked us for assistance in a number of areas:

• On-demand access to talented Synack Red Team members who are available 24/7 and capable of completing diverse security operations activities across a growing range of assets. 
• A flexible security solution that can be configured to meet their specific needs in one centralized platform with their existing pentesting insights.
• A security solution that delivers results quickly (hours and days, not weeks or months) and is aligned with their agile development processes.

Synack Campaigns expands the core capabilities of the Synack Platform, including our trusted community of researchers, an extensive set of workflows, payment services, secure access controls and intelligent skills-based task-routing to provide customers with the ability to execute a growing catalog of cybersecurity operations.

With Synack Campaigns our researchers can augment internal security teams by performing targeted security checks such as:

• CVE and OWASP Top 10 vulnerability checks
• Cloud Configuration Checks
• Compliance Testing (NIST, PCI, GDPR, etc.)
• ASVS Checks

Synack Campaigns are built to complement our vulnerability management and pentesting services, and help customers achieve long-term security objectives, such as Application Security, M&A Due Diligence, and Vulnerability Management. 

I’m excited for you to learn more about Synack Campaigns and to hear how you and your teams would like to leverage our on-demand community of researchers to address your organization’s growing operational security needs.

Peter Blanks is Synack’s Chief Product Officer.

The post The Synack Platform Expands to Confront the Cyber Skills Gap appeared first on Synack.