Last week, we released a new API Pentesting product that allows you to test your headless API endpoints through the Synack Platform. Before the release, we conducted more than 100 requests for headless API pentests, indicating a growing need from our customers. This new capability provides an opportunity to get human-led testing and proof-of-coverage on this critical and sprawling part of the attack surface.

Testing APIs Through Web Applications Versus Headless Testing

For years, Synack has found exploitable API vulnerabilities through web applications. However, as Gartner notes, 90% of web applications now have a larger attack surface exposed via APIs than through the user interface. Performing web app pentests is no longer adequate for securing the API attack surface, hence the need for the new headless API pentest from Synack. 

Our API pentesting product allows you to activate researchers from the Synack Red Team (SRT) to pentest your API endpoints, headless or otherwise. These researchers have proven API testing skills and will provide thorough testing coverage with less noise than automated solutions.  

The Synack Difference: Human-led Coverage and Results

Automated API scanners and testing solutions can provide many false positives and noise. With our human-led pentesting, we leverage the creativity and diverse perspectives of global researchers to provide meaningful testing coverage and find the vulnerabilities that matter. SRT researchers are compensated for completing the check and are also paid for any exploitable vulnerability findings to ensure a thorough, incentive-driven test.  

Additionally, each submitted vulnerability is vetted by an in-house team called Vulnerability Operations. This reduces noise and prevents teams from wasting time on false positives. 

Write-ups for the testing done on each endpoint will be made available in real time and are also vetted by vulnerability operations. The reports can also be easily exported to PDFs for convenient sharing with compliance auditors or other audiences. 

These reports showcase a level of detail and thoroughness not found in automated solutions. Each API endpoint will be accompanied by descriptions of the attacks attempted, complete with screenshots of the work performed. Check out one of our sample API pentest reports.

Screenshot from exportable PDF report

How It Works

Through the Assessment Creation Wizard (ACW) found within the Synack Platform, you can now upload your API documentation (Postman, OpenAPI Spec 3.0, JSON) and create a new API assessment. 

For each specified endpoint in your API, a “Mission” will be generated and sent out for claiming among those in the SRT with proven API testing experience. The “Mission” asks the researcher to check the endpoint for vulnerabilities like those listed in the OWASP API Top 10, while recording their efforts with screenshots and detailed write-ups. Vulnerabilities tested for include:

• Broken Object Level Authorization
• Broken User Authentication
• Excessive Data Exposure
• Broken Function Level Authorization
• Mass Assignment
• Security Misconfiguration
• Injection

Proof-of-coverage reports, as well as exploitable vulnerability findings, will be surfaced in real-time for each endpoint within the Synack Platform.

Real-time results in platform

Through the Synack Platform, an exploitable vulnerability finding can be quickly viewed in the “vulnerabilities” tab, which rolls up finding from all of your Synack testing activities. With a given vulnerability, you can comment back and forth with the researcher who submitted the finding, as well as request patch verification to ensure patch efficacy. 

Retesting On-demand

As long as you’re on the Synack Platform, you have on-demand access to the Synack Red Team. To that end, APIs previously tested can be retested at the push of a button. Simply use the convenient “retesting” workflow to select the endpoints you want to retest and press submit. This will start a new test on the specified endpoints, sending out the work once more to the SRT and producing fresh proof-of-coverage reports. This can be powerful to test after an update to an API or meet a recurring compliance requirement.

Get Started

Get started today by downloading our API pentesting data sheet.

The post Minimize Noise With Human-Led API Pentesting appeared first on Synack.

When the Log4j vulnerability emerged in December 2021, Synack and our clients’ security teams immediately sensed its urgency. The Synack Red Team began testing within hours of the initial discovery for our customer base. 

Almost a year later, Log4j continues to show up in our pentesting results. Here are some quick stats from our findings:

• 750+ instances of the Log4j (CVE-2021-44228) missions run by SRT researchers since 2021 as part of our zero day response coverage
• 100+ susceptible instances found so far as part of Synack Penetration Testing
• Over 2 million IPs checked to date  

Log4j Is “Endemic,” Says Federal Cyber Board

The Cyber Safety Review Board (CSRB) called Log4j (CVE-2021-44228) an “endemic” vulnerability in the board’s first published report. The group of public and private sector cybersecurity leaders stated that the vulnerability is expected to continue to be a prominent threat for “a decade or longer.”

The CSRB’s consideration of Log4j as a persistent threat points to the critical nature of such zero days. They are not something to be solved in the week they appear, with security teams “working through the weekend” and then moving on. They highlight the larger need for readily available talent and emergency response processes across a longer span of time.

Luckily, there have been no successful Log4j-based attacks to critical infrastructure, according to the CSRB. However, the board urges organizations to continue to mitigate risk related to Log4j and prepare for future zero day vulnerabilities of similar criticality. 

Log4j and the Cyber Talent Gap – Surge Capacity

Nearly two in three organizations say they are understaffed in cybersecurity. But even for those that report having enough cyber talent on hand, the surge demand needed to respond to a vulnerability like Log4j can still be taxing. The CSRB report states:

“Perhaps most significantly, the force exerted on the urgent response and the challenges in managing risk also contributed to professional “burnout” among defenders that may, compounded with the generally intense pace of many cybersecurity jobs, have a long-term impact on the availability of cybersecurity talent.”

Chris Hallenbeck writes for VentureBeat about lessons learned in the face of Log4j, including the fact that the “skills shortage is an existential threat.” If organizations are to effectively prepare for future CVEs and zero days, they must consider their hiring strategies in the face of the cyber talent shortage, while also considering how to deal with potential burnout and stress from surge demand in the face of emergency. 

Preparing for Zero Day Response with Human Talent

The CSRB issued recommendations to mitigate zero day risks, including the documentation of a vulnerability management and response program, and consideration of “cultural shifts” that are “necessary to solve for the nation’s digital security.”

Synack believes that the most effective way to test for a zero day vulnerability is with human expertise. Scanners are not able to detect zero day vulnerabilities until they are updated with a signature for the vulnerability. 

In the face of the cybersecurity talent gap, testing with humans to meet the surge demand of a zero day can be challenging. That’s why on-demand access to a community of researchers is paramount. Synack provides access to such a community, the Synack Red Team, through a SaaS platform, for on-demand zero day response. This talent augmentation can be a key cultural shift for companies struggling to hire or retain cyber talent, and can help prevent an in-house team from experiencing the severe burnout alluded to above.

Within the Synack Platform is a catalog of CVEs that can be tested on-demand by skilled SRT researchers. When Log4j first emerged, it was added to the catalog within hours, and top researchers began testing and collaborating on methodologies. 

After only a few days, Synack had checked over half a million IP addresses confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. 

Contact us today for a conversation about how we can help you mitigate Log4j risk or prepare for future zero days.

The post Preparing for the Next Log4j in the Face of the Cyber Talent Gap appeared first on Synack.

Mental health is health. A common refrain during Mental Health Awareness Month, and one that strikes true when embarking on a journey to improve your emotional wellbeing. Health is an ongoing journey, funnily, with many parallels to cybersecurity. So, in honor of Mental Health Awareness Month, here are a few lessons I’ve learned from working in cybersecurity that resonate with my own mental health journey.

Mental Health is Dynamic Like an Attack Surface

At Synack, we often talk about how attack surfaces are dynamic — changing and evolving daily because of the continuous updates and improvements. The same is certainly true for mental health. 

Just as an attack surface should be continuously assessed, so too should your mental health. Checking in with yourself and others routinely only makes sense given the dynamic nature of mental wellbeing. Some of my best months or days come right after some of my worst. Don’t make assumptions about your own or others’ mental states, and keep in mind that change is crucial and expected.

Treatment Should be Continuous

In 2017, my therapist diagnosed me with depression. Today, my mental health and my ability to manage it are leaps and bounds better, and I credit that mostly to a routine of mindfulness meditation and using other mental health tools. Because I know mental health is dynamic, I know that meditation isn’t just for when I’m feeling down but rather a practice I continue through good and bad times to find balance. The same can be said of other tools like therapy or journaling.  

These tools work because they build habits and defenses that can stand up to the next challenge you face, just like protecting an organization with cybersecurity principles. If you’ve stopped your daily meditation, therapy appointments or journaling about your day, you might not have the habits and responses you want in place the next time a challenge presents itself. But if you treat your mental health daily, instead of only in a crisis, you can be prepared for anything. Like when an organization responds confidently to a security challenge, such as log4j.

Normalize Investment 

One of my favorite security messages that I’ve heard says that security should be treated as an essential business function. It’s not a side project you are burdened to fund, it’s an integral part of doing business and should be “baked in” to your budget. 

Similarly, investing your time into your mental health should be normalized. Take time to see your therapist or for daily habits that contribute to your emotional wellbeing. When seeing a therapist, I was fortunate enough to have supportive managers to take time off in the afternoon. I also had friends that supported me on my journey that I could turn to.

There’s no Better Time Than Now to Start

You can start your mental health journey at any time. You don’t have to wait for a low point to make positive changes. Just like you shouldn’t wait for a crisis to start enacting effective cybersecurity measures, you shouldn’t wait to tackle your mental health. Recognizing that it’s a dynamic challenge you need to prepare for, and invest in, is the first step in making a positive change for yourself.

The post Mental Health and Cybersecurity: Two Continuous Journeys appeared first on Synack.