Test to Find the Exploitable Vulnerabilities and Their Root Causes

Vulnerability Management in Your Cybersecurity Program

Today’s complex software systems often include code that leaves them vulnerable to attack by hackers who are always looking for a way to break in. And even with a system with no inherent vulnerabilities, a misconfiguration or careless deployment of credentials handling can afford hackers an opportunity for infiltration. A record 26,448 software security flaws were reported in 2022, with the number of critical vulnerabilities up 59% on 2021. So a good cybersecurity program should include a program for vulnerability management.

Tactical vs. Strategic Penetration Testing in Vulnerability Management

Vulnerability management is the process of identifying and remediating weaknesses in your systems, including your applications, infrastructure and security processes. And a key component of that program should be penetration testing, actively probing your system to identify vulnerabilities so they can be analyzed, prioritized and remediated.

As companies move to agile models for software development, the release of new features or products becomes more frequent. And that code can introduce vulnerabilities. Similarly, more systems are being deployed in the cloud. And cloud assets can fall out of compliance or become susceptible to attacks after a single update.

Traditionally, pentesting has been performed on a tactical, one-time basis. But the most thorough penetration test, even if repeated periodically, is only a snapshot in time. While one-time pentesting can be an essential part of any vulnerability management program, this tactical approach is most appropriate for obtaining a picture of your security posture. Identify your vulnerabilities and address them as needed. It is also useful in testing for and proving compliance in regard to security standards such as OWASP, PCI and NIST.

Comprehensive cybersecurity requires more strategic thinking, going beyond the concept of a snapshot. You need to leverage test results for operational purposes, track changes over time, understand performance across the organization, analyze root cause, and communicate your security posture. And to accomplish this you need to have a program of continuous pentesting like those available through Synack. Synack can pentest agile development output at multiple stages of development and assist developer and QA teams with quick remediation through real-time reporting and patch verification. Continuous testing is also best for cloud assets. To facilitate cloud security testing, Synack has integrations with AWS, Azure and GCP that enable detection of changes that could cause problems.

For strategic vulnerability management Synack provides continuous pentesting in 90- and 365-day increments (Synack90 and Synack365) to address a wide range of use cases. Both programs help you catch vulnerabilities as they are introduced, and track your security posture across the organization and over time.

Automated Scanning and Pentesting: A One-Two Punch For Identifying and Remediating Vulnerabilities

Two of the tools in the Synack platform, whether they are deployed tactically or strategically, that provide an effective one-two punch for identifying and remediating exploitable vulnerabilities are Synack SmartScan and Synack’s transformational penetration testing. Deploying these two tools can help you cut through the noise, taking automated vulnerability testing results and applying human intelligence to improve the vulnerability management workflow. You can address the problems that really matter.

Deploy SmartScan for Low-Importance Assets

Vulnerability scanning is most appropriate for low-importance assets. Traditional vulnerability scanners are good at identifying known vulnerabilities. But they typically treat all assets the same and are not able to distinguish exploitable vulnerabilities from the noise. They require expert reviews and triage. Synack SmartScan takes the scanning idea to another level. SmartScan is an automated set of scanning tools that continuously watch for changes in your environment to identify and triage security vulnerabilities. SmartScan identifies potential vulnerabilities and engages the Synack Red Team (SRT) to evaluate the results. The SRT along with Synack Operations generates a vulnerability report, including steps to reproduce and remediate the vulnerability. SmartScan enables rather than burdening your security and operations teams.

Deploy Pentesting for High-Importance Assets

Pentesting gives you the more accurate and complete vulnerability information that high-importance assets require. To pentest your organization Synack calls on a vetted community of security researchers to actively probe your assets for exploitable vulnerabilities, much like a hacker would. You get top-tier talent to find and fix exploitable vulnerabilities, and confirm remediation efforts across your external attack surface.

Deploy Synack Stand-Alone or in Partnership with Other Security Platforms

With Synack’s flexibility, you can integrate automated scanning and pentesting into your existing workflow, or deploy them as a new process. Either way you get comprehensive end-to-end offensive testing, taking you from discovery through to remediation. And Synack tools can be deployed as an add-on to larger security systems such as Splunk’s data platform or Microsoft’s Sentinel security information and event manager (SIEM).

Learn How Synack Can Help Protect Your Organization

For the most comprehensive vulnerability management, deploy continuous scanning and pentesting to help you identify and remediate vulnerabilities across your entire asset base.

 

The post How to Deploy Strategic Pentesting in Your Vulnerability Management Program appeared first on Synack.

API (application programming interface) cybersecurity isn’t as thorough as it needs to be. When it comes to pentesting, web APIs are often lumped in with web applications, despite 90% of web applications having a larger attack surface exposed via APIs than user interfaces, according to Gartner. However, that kind of testing doesn’t cover the full spectrum of APIs, potentially leaving vulnerabilities undiscovered. As APIs become both increasingly important and increasingly vulnerable, it’s more important than ever to keep your APIs secure.

APIs vs. Web Applications

APIs are how software programs talk to each other. APIs are interfaces that allow software programs to transmit data to other software programs. Integrating applications via APIs allows one piece of software to access and use the capabilities of another. In today’s increasingly connected digital world, it’s no surprise that APIs are becoming more and more prevalent.

When most people think of APIs, what they’re really thinking about are APIs  exposed via a web application UI, usually by means of an HTTP-based web server. A web application is any application program that is stored remotely and delivered via the internet through a browser interface. 

APIs, however, connect and power everything from mobile applications, to cloud-based services, to internal applications, partner platforms and more. An organization’s APIs may be more numerous than those that can be enumerated through browsing a web application.

Differences in Pentesting

Frequently, organizations that perform pentesting on their web applications assume that a clean bill of health for web applications means that their APIs are just as secure. Unfortunately, that isn’t the case. An effective API security testing strategy requires understanding the differences between web application testing and API security testing. 

Web application security mostly focuses on threats like injection attacks, cross-site scripting and buffer overflows. Meanwhile, API breaches typically occur through issues with authorization and authentication, which lets cyber attackers get access to business logic or data.

Web application pentesting isn’t sufficient for testing APIs. Web application testing usually only covers the API calls made by the application, though APIs have a much broader range of functioning than that.

To begin a web application pentest, you provide your pentesters with a list of and they test all of the fields associated with these URLs. Some of these fields will have APIs behind them, allowing them to communicate with something. If the pentesters find a vulnerability here, that’s an API vulnerability – and that kind of API vulnerability will be caught. However, any APIs that aren’t connected to a field won’t be tested.

Most organizations have more APIs than just the ones attached to web application fields. Any time an application needs to talk to another application or to a database, that’s an API that might still be vulnerable. While a web application pentest won’t be able to test these APIs, an API pentest will.

The Importance of API Pentesting

Unlike web applications, APIs have direct access to endpoints, and cyber attackers can manipulate the data that these endpoints accept. So, it’s important to make sure that your APIs are just as thoroughly tested as your web applications. By performing separate pentesting for APIs and web applications, you make sure that you have your attack surface covered.

Synack can help. To learn more about the importance of pentesting for APIs, read this white paper and visit our API security solution page.

The post Don’t Let API Penetration Testing Fall Through the Cracks appeared first on Synack.

What Is a Bug Bounty Program? 

The concept of bug bounty programs is simple. You allow a group of security researchers, also known as ethical hackers, to access your systems and applications so they can probe for security vulnerabilities – bugs in your code. And you pay them a bounty on the bugs they find. The more bugs the researcher finds, the more money he makes.

Assessing the value or success of bug bounty programs can be difficult. There is no one methodology or approach to implementing and managing a bug bounty program. For example, a program could employ a couple or hackers or several hundred. It could be run internally or with a bug bounty partner. How much does the customer pay for the program and what reward should the hacker get?

While many organizations have jumped on the bug bounty bandwagon over the last decade or so, the results have been disappointing for some. Many companies disappointed by their bug bounty experience have talked with Synack. We can group their experiences into three major categories: researcher vetting and standards, quality of results, and program control and management.

Researcher Vetting and Standards

When you implement a bug bounty program you are relying on ethical hackers, security researchers that have the skills and expertise to break into your system and root around for security vulnerabilities. Someone has to vet those hackers to ensure that they can do the job, that they have the level and diversity of experience required to provide a thorough vulnerability assessment. And how do you know that someone signing up for the program has the right skills and is trustworthy? There are no standards to go by. Some bug bounty programs are open to just about anyone.

Quality of Results

Bug bounty programs are notorious for producing quantity over quality. After all, more bugs found means more rewards. So security managers often find themselves wading through piles of low-quality and low-severity vulnerabilities that divert their attention and resources from serious, exploitable vulnerabilities.  For example, an organization with internal service-level agreements (SLAs) for remediation of vulnerabilities may be forced to spend time on low-priority patching, just to have good metrics. This isn’t always the best path to minimize risk in the organization.

Results can also be highly dependent on the group assigned to do the hacking. Small groups – we have seen some programs that have only a handful of researchers – suffer from a lack of diversity and vision. Large groups usually cast a wider net but are more difficult to manage and control. And how much your researchers get paid is an important consideration. For example, if a company pays “average” compared to other targets on a bug bounty platform, they will not get the attention of above-average researchers. Published reports from bug bounty companies state that only 6-20% of found vulnerabilities have a CVSS (Common Vulnerability Scoring System) of 7.0 or greater, which would be below the typical customer experience seen at Synack.

Program Control and Management

By far the biggest drawback to bug bounty programs is the lack of program control and management. Turning a team of hackers loose to find security bugs is only the first step. Did they demonstrably put in effort in the form of hours or broad coverage?  What happens after bugs are found? How are the results reported? Who follows up with triaging or remediation? Who verifies resolution? 

The short answer is… it depends. Every program has its own processes and procedures. The longer answer is that most bug bounty programs don’t put a lot of effort into this area. Hackers are left to go off on their own with little monitoring. They don’t see analytics that help them efficiently choose where to hack. Internal security teams may need to wade through the resulting reports, triage the found bugs, resolve or remediate the bug condition, and verify that bugs have been appropriately addressed.

An Integrated Approach to Vulnerability Testing

These are just a few of the problems associated with bug bounty programs. But even without these issues, attacking vulnerabilities with a bug bounty program is not a panacea to test your cybersecurity posture. Finding high-criticality vulnerabilities is fine, but you need to consider context when assessing vulnerabilities. You need to take an integrated approach to vulnerability testing.

Synack provides high-quality vulnerability testing through its community of 1,500+ vetted security researchers, the Synack Red Team (SRT). Not tied to a bug bounty concept, Synack manages the SRT and provides a secure platform so they can communicate and perform testing over VPN. Through the platform Synack can monitor all the researcher traffic directly, to analyze, log, throttle or halt it.

Synack researchers are all highly skilled and bug reports typically have signal-to-noise ratios approaching 100%.  High and critical vulnerabilities making up approximately 40% or more of reports is typical. Beyond simply finding bugs, researchers consider context and exploitability and recommend remediation steps. They can retest to confirm resolution or help customers find a more airtight patch.

So when you consider your next offensive security testing program, know what you’re getting with bug bounty programs. Think comprehensive pentesting with a company that can help you locate vulnerabilities that matter and address them, now and in the future.

The post What’s Wrong with Bug Bounty Programs? appeared first on Synack.

Reporting is a critical but often-overlooked component of cybersecurity testing

The overall goals of nearly any technology can be summed up by the title of a song by the popular French music duo Daft Punk: “Harder, Better, Faster, Stronger.” New technologies are commonly judged against two or more of these characteristics. Applying this to cybersecurity tools, does it harden my attack resistance? Can it do the job better with less cost or resources? Does it do the job faster? And ultimately are my defenses stronger?

But in the urgency to design and implement the features that will achieve these goals, there is one component that is often overlooked. Reporting. Can I get the right information into the hands of the right people in a form that they can use?   

Original cybersecurity pentest reports were descriptions of what was done, what was found and what might be done about it. They were composed for the security team paying for the test and were usually in the form of a data dump. Three or four hundred page reports were commonplace, and why not? What better way to show all the work that you have done, even if the pentests didn’t actually produce any viable results.  

Further, those reports were created once for each pentest resulting in a fossilized memento of what was done, usually destined to occupy a few MB of storage on a hard drive, and eventually forgotten in an archive.

Synack decided there had to be a better way to communicate pentesting results. They focused on three key innovations: customizability, scheduling and human components.

Customizability:

In this information age, too much information can be as punishing or painful as too little. Not everyone cares about every component of a pentest. For example, a painstaking regurgitation of the scope of the test may matter to an auditor, but not a developer tasked with patching found vulnerabilities. Synack reports are highly customizable, allowing for purpose-built, audience-customized reports to be created on the fly. Each person can get the report they need, without unnecessary information. And this sort of reporting uses less resources than generating a single report for everyone. 

Scheduling:

People throughout an organization have different appetites for information. We’ve seen organizations that want weekly reports on Continuous tests, but only for host and network assets. Others want a fresh report every time their web app has a new feature ship, coinciding with the 14-day sprint schedule that drives their CI/CD. Synack can handle all of those scenarios with reporting customization AND a robust role-based access control (RBAC) system. Synack’s RBAC customizable reporting also allows security teams to implement Least Privilege Access so various information needs can be met without the risk of testing data being seen or modified accidentally or by anyone without proper authorization. So testing results get in peoples’ hands without delay.

Human Components:

The most important question you need to ask about any cybersecurity test is, “Why do I care and what do I need to do?” Ultimately, with the thousands of discrete tests performed and vulnerabilities found, Synack decided that a human-written summary was usually what helped customers the most. Every Synack pentest comes with a human-written summary, written by people separate from the actual testing, triage or service delivery to gain maximum benefits from independent thinking. Customers get the actionable information they need to strengthen their cybersecurity defenses. And they get it in a form that is to the point and easy for them to digest.

To see our reporting feature in action, watch this short video.

The post Reporting Can Be the Hero or Villain of Your Cybersecurity Pentesting appeared first on Synack.

Synack, the premier security testing platform, has launched an API pentesting capability powered by its global community of elite security researchers. Organizations can now rely on the Synack platform for continuous pentesting coverage across “headless” API endpoints that lack a user interface and are increasingly exposed to attackers.

“Synack’s human-led, adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation,” said Synack CTO and co-founder Mark Kuhr, a former National Security Agency cybersecurity expert. “We are thrilled to offer customers a unique, scalable way to secure this growing area of their attack surfaces.”

Gartner estimates API abuses will be the most common source of data breaches in enterprise web applications this year. Synack enables organizations to verify exploitable API vulnerabilities like broken authorization and authentication–noted in the OWASP API top 10–can’t be abused by malicious hackers.

“Many organizations are struggling to find the top-tier cyber talent needed to root out API-specific vulnerabilities,” said Peter Blanks, Chief Product Officer at Synack. “We’re excited to extend our Synack platform to provide human-powered offensive security testing on APIs.”

Synack’s headless API capability builds on years of API pentesting experience through web and mobile applications. The new platform features allow customers to enter API documentation to guide testing scope and coverage. Next, researchers with the Synack Red Team attempt to exploit API endpoints in the way a real external adversary would.

Of the Synack Red Team’s over 1,500 global members, only those with proven API testing skills are activated on API requests, reducing noise. Synack’s Special Projects division led over 100 successful pentests against headless APIs in 2022, providing customers with critical proof-of-coverage reports while validating researchers’ API expertise.

Vulnerability submissions and testing reports are routed through Synack’s Vulnerability Operations team for a rigorous vetting process before being displayed in the platform, minimizing false positives and ensuring high-quality results.

For more information about Synack’s API security testing, visit our Solutions page.

The post Synack Expands Security Platform with Adversarial API Pentesting appeared first on Synack.

The Complementary Benefits of Red Teaming and Pentesting

Deploying Complementary Cybersecurity Tools

In our previous article, we talked about the growing number of cybersecurity tools available on the market and how difficult it can be to choose which ones you need to deploy to protect your information and infrastructure from cyberattack. That article described how Asset Discovery and Management solutions work in concert with Pentesting to ensure that you are testing all of your assets. In this article, we’ll take a look at Red Teaming and how it works together with Pentesting to give you a thorough view of your cybersecurity defenses.

What is Red Teaming and How Is It Different from Pentesting?

Red Teaming and Pentesting are often confused. Red Teaming is a simulated cyberattack on your software or your organization to test your cyber defenses in a real world situation. On the surface this sounds a lot like Pentesting. They are similar and use many of the same testing techniques. But Red Teaming and Pentesting have different objectives and different testing methodologies.

Pentesting Objectives and Testing

Pentesting focuses on the organization’s total vulnerability picture. With Pentesting, the objective is to find as many cybersecurity vulnerabilities as possible, exploit them and determine their risk levels. It is performed across the entire organization, and in Synack’s case it can be done continuously throughout the year but is usually limited to a two-week period. Pentesting teams are best composed from security researchers external to the organization. Testers are provided with knowledge regarding organization assets as well as existing cybersecurity measures. 

Red Team Objectives and Testing

Red Teaming is more like an actual attack. Researchers usually have narrowed objectives, such as accessing a particular folder, exfiltrating specific data or checking vulnerabilities per a specific security guideline. The Red Team’s goal is to test the organization’s detection and response capabilities as well as to exploit defense loopholes. 

Red Teaming and Pentesting Work Together

There are a lot of articles floating around the internet describing Pentesting and Red Teaming and offering suggestions on which tool to choose for your organization. The two solutions have different objectives, but they are complementary. Pentesting provides a broad assessment of your cybersecurity defenses while Red Teaming concentrates on a narrow set of attack objectives to provide information on the depth of those defenses. So why not deploy both?  A security program that combines Red Teaming with Pentesting gives you a more complete picture of your cyber defenses than either one alone can provide. 

Traditionally, Red Teaming and Pentesting have been separate programs carried out by separate groups or teams. But Synack offers programs and solutions that combine both Pentesting and Red Teaming, all performed via one platform and carried out by the Synack Red Team, our diverse and vetted community of experienced security researchers. 

With Synack you have complete flexibility to develop a program that meets your security requirements. You can perform a Pentest to provide an overall view of your cybersecurity posture. Then conduct a Red Teaming exercise to check your defenses regarding specific company critical infrastructure or your adherence to security guidelines such as the OWASP (Open Web Application Security Project) Top 10, or the CVE (Common Vulnerabilities and Exposures) Checklist.

But don’t stop there. Your attack surface and applications are constantly changing. You need to have a long-term view of cybersecurity. Synack can help you set up continuous testing, both Pentesting and Red Teaming, to ensure that new cybersecurity gaps are detected and fixed or remediated as quickly as possible.

Learn More About Pentesting and Red Teaming

To learn more about how Synack Pentesting can work with Red Teaming to help protect your organization against cyberattack, contact us.

The post See Your Cyber Defenses with an Adversarial Perspective Using Red Teaming and Pentesting appeared first on Synack.

The cybersecurity industry continuously evolves to keep up with fast-moving threats. But for nearly two decades, there’s been at least one constant: October marks Cybersecurity Awareness Month! 

Launched by the U.S. Department of Homeland Security in 2004 to raise public awareness about digital risks, Cybersecurity Awareness Month has since grown into a global phenomenon, drawing government and private sector participation from Ukraine to Japan. 

We at Synack are honoring this year’s theme, See Yourself in Cyber, with an array of content and events that kicked off Saturday, Oct. 1, in western India. Synack solutions architect Hudney Piquant delivered a timely talk at the BSides Ahmedabad conference on securing the human element in the cyber industry, emphasizing the importance of effective education and training. 

The See Yourself in Cyber theme, chosen by the Cybersecurity and Infrastructure Security Agency and the nonprofit National Cybersecurity Alliance, recognizes that not everyone needs to have a technical background to contribute to the collective defense of our most critical networks. From accountants to recruiters, pentesters to policymakers – everyone has a role to play. With an estimated 700,000 open cybersecurity positions in the U.S. alone, there’s an urgent need to build a bigger tent for the cybersecurity community and welcome individuals of diverse backgrounds and skill sets. Closing the cyber talent gap can start with personal effort. 

“As the threat of malicious cyber activities grows, we must all do our part to keep our Nation safe and secure,” President Biden said in a White House proclamation Friday. 

That can mean enabling multi-factor authentication, using a password manager or keeping software up to date, as the White House pointed out. But it can also mean providing mentorship, crafting a welcoming environment for anyone interested in cybersecurity and sharing the tools and technologies needed to secure our increasingly interconnected world. 

At Synack, we believe that diverse perspectives in security testing are essential to hardening systems against the full spectrum of cyberthreats. That means opening doors for individuals from underrepresented backgrounds through programs like the Synack Academy, which is designed to build student participants’ cybersecurity education and skills while recognizing their unique circumstances and providing mentorship. We empower members of our elite Synack Red Team community of security researchers through the Artemis Red Team, a community open to women, trans and nonbinary security professionals and others who identify as a gender minority. 

So keep an eye out this month as us Synackers do our part to promote cybersecurity awareness. We’ll be adding new entries to our Exploits Explained blog series, in which Synack Red Team members share insights on the latest threats and vulnerabilities gleaned from years of pentesting. You can hear our CEO and co-founder, Jay Kaplan, speak to security talent and prioritization strategies at an Oct. 19 webinar on A Better Way to Pentest for Compliance. Or you can catch us at one of several upcoming cybersecurity events, from CyberGov UK to the SecTor conference in Canada. And we’ll continue to offer helpful and engaging cyber content through our WE’RE IN! podcast, the README cybersecurity news source and our social media channels including Twitter and LinkedIn. 

The cybersecurity industry can seem like it’s full of intractable and highly technical problems, whether it’s new challenges like API security testing or old threats like phishing. But our collective success in defending society from cyberattacks hinges on each of us. CISA said it best when unveiling this year’s See Yourself in Cyber theme: “While cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” 

Tackling our biggest security challenges will take collaboration and creativity. We hope you can See Yourself in Cyber, engage in this year’s Cybersecurity Awareness Month programming and get in touch with us if we can help. 

Happy October! 

The post Synack Celebrates Cybersecurity Awareness Month appeared first on Synack.

Working Together to Provide Comprehensive Cybersecurity

Protecting Your Organization from Cybercrime

You already know that you need to be proactive regarding cybersecurity to protect your organization’s information and your resources. In 2020 cybercrime cost organizations an average of $4.35 million, and it took 277 days to find and contain the attack. But what’s the best way to mitigate against your organization falling prey to an attack? There are a number of different types of cybersecurity tools available with more being announced seemingly every day. VC funding for cybersecurity startups reached a record high of $29.5 billion in 2021 and there have been 300+ new startups every year. With this assortment of tools at your disposal, which ones should you deploy? 

One way to proceed is to select tools that complement each other. For example, deploying pentesting for breadth of vulnerability test coverage works hand in hand with red teaming for more targeted testing of specific assets or problem areas. Another complementary pairing is pentesting with asset discovery and management. In this article, we’ll take a look at how penetration testing can use the information from asset discovery and management tools to make sure you are testing everything you need to test and provide you with comprehensive cybersecurity protection.

Asset Discovery and Management

Pentesting will provide you with actionable knowledge of how a cyber attacker can hack into your organization and what damage that attack can cause. But before diving into pentesting it’s important to have a picture of your organization’s external attack surface and an assessment of its known vulnerabilities. 

Determining Potential Attack Points with External Attack Surface Management (EASM)

EASM is at the forefront of Gartner’s Top Security and Risk Management Trends for 2022. Broadly defined EASM is the process of identifying, inventorying and assessing your organization’s IT assets including all external-facing internet assets and systems. And with the increasing use of cloud resources, your attack surface is expanding rapidly. Forty-three percent of IT and business leaders state that the attack surface is spiraling out of control, and nearly three-quarters are concerned with the size of their digital attack surface. Having a good EASM process will provide your pentesters with a map of where all of your assets are, whether they are internal or external, so they can better determine how to mount as all-inclusive a test as possible.

Identifying and Managing Your Vulnerabilities

A vulnerability scan can identify gaps in your security controls and find security loopholes in your software infrastructure. These scans are optimized for breadth and completeness of coverage with the goal of ensuring that no vulnerabilities are missed. A vulnerability assessment will check for security issues such as misconfigurations, unchecked or incorrect privileges, excessive services and missing operating system updates. You can then prioritize the exposed vulnerabilities according to how likely they are to be exploited in your organization and how much damage can be caused by a hacker exploiting them. 

Putting It All Together

EASM, vulnerability management and penetration tests complement each other but have different goals. The first step in determining your organization’s vulnerability to cyberattack is to do an EASM study. EASM results helps you see what all of your potential attack points are. It’s not uncommon for an EASM study to expose assets and points of potential attack an organization didn’t even know they had. 

Using the EASM results you can perform a vulnerability assessment to expose any known vulnerabilities associated with those assets. The vulnerability scan and prioritization will tell you what your known vulnerabilities are. Usually these vulnerabilities are already known to the security community, hackers, and software vendors. These scans normally don’t uncover unknown vulnerabilities.

With an EASM and vulnerability results in hand you can then perform a penetration test.  Where vulnerability scans are optimized for depth and completeness, penetration tests are optimized for depth and thoroughness. Pentests will search for all potential attack points and actively exploit all detected known and as yet unknown vulnerabilities to determine if unauthorized access or malicious activity is possible. Then a good pentesting operation will prioritize its results and assist in remediation or mitigation of detected problems.

Using these three cybersecurity tools and processes will help you answer these important questions:

• What do we have that might be attacked? (EASM)
• Could an attack happen on things we own and how likely is it that something will happen to us? (Vulnerability Assessment and Management)
• What can happen if an attacker gets into our system? (Pentesting)

The post Pentesting and Asset Discovery & Management: Symbiotic Benefit of Complementary Cybersecurity Tools appeared first on Synack.

Synack Joins the Microsoft Intelligent Security Association (MISA)

Synack has recently joined the Microsoft Intelligent Security Association (MISA) and integrated with Microsoft Sentinel. This means that Microsoft Sentinel users can now easily access Synack’s global team of security experts for on demand testing of cloud assets. MISA is an ecosystem of independent software vendors and managed security providers who integrate their security solutions with Microsoft platforms and technology to increase visibility and minimize threats.

This announcement is only one component of this growing partnership and is a testament to the commitment both Synack and Microsoft have to providing flexible and scalable security solutions. Extending Microsoft’s security capabilities through partnerships and integrations like that with Synack, reduce cost and complexity for enterprises looking for end-to-end cloud security solutions.

Synack Helps Secure Microsoft Azure Hybrid Clouds

Keeping your hybrid cloud safe and secure from cyber criminals is a daunting task. Hackers are constantly searching for vulnerabilities in your cloud that they can exploit to gain access. You need to be constantly vigilant and discover and resolve all the vulnerabilities in your system while they only need to find one to be successful in penetrating it to perpetrate their cybercrime activities.

To help you more effectively protect your network from cybercriminals, Synack is now providing integrations to two key Microsoft cloud security solutions: Microsoft Defender for Cloud and Microsoft Sentinel. Additionally, new cloud-oriented services are available through Synack Campaigns, which provide on-demand access to members of the Synack Red Team for completing targeted security objectives.

Synack Provides Critical Information for Remediation of Exploitable Vulnerabilities

Microsoft Sentinel and Microsoft Defender for Cloud play a significant role in improving security operations. Microsoft Defender for Cloud provides recommendations, alerts and diagnostics to Microsoft Sentinel to provide better analytics and incident response. Microsoft Sentinel provides an overall picture of what is happening in your network taking in data from multiple sources to give security analysts a powerful tool to detect and respond to cyberattacks. Together these two solutions help provide seamless and effective security operations.

But there is a critical piece missing in this security view. You need to be able to validate misconfigurations and create attack vectors to search for and report exploitable vulnerabilities at the network layer as well as internally in your cloud. Synack, the premier security testing platform powered by the most skilled and trusted community of global security researchers provide continuous penetration testing and vulnerability discovery with actionable data and report the results to Microsoft Defender for Cloud and Microsoft Sentinel where the vulnerabilities can be investigated, analyzed, and resolved. You can run a one-time assessment, or sign up for continuous testing of your system.

View Synack Vulnerability Assessment Results in Microsoft Defender for Cloud and Microsoft Sentinel

When it comes to exploitable vulnerabilities in your cloud, time-to–resolution is critical. Synack’s new integrations to Microsoft Defender for Cloud and Microsoft Sentinel automatically sync the results of Synack vulnerability assessments to those security solutions to help decrease time-to-resolution. There is no need for human intervention or cumbersome transfer of information. You have all your vulnerability information in one place in screens that your security teams are used to working with.

Automatically Create Vulnerability Entries in Defender for Cloud

With Synack’s new integration to Microsoft Defender for Cloud, customers can create a Synack Vulnerabilities custom workbook in Defender for Cloud. The Microsoft Defender for Cloud workbook displays the exploitable vulnerabilities discovered in the Synack vulnerability assessment along with a severity status and scoring. The data syncs automatically from the Synack Client Portal directly to Microsoft Defender for Cloud.

Automatically Create Incidents in Microsoft Sentinel

Similarly, Synack’s new integration to Microsoft Sentinel synchronizes vulnerability data from your Synack account to Microsoft Sentinel for further management and remediation. It automatically creates an incident in Microsoft Sentinel for each vulnerability and keeps the incident up-to-date with the latest changes in the vulnerability.

A Holistic View of Your Cloud Security

Syncing vulnerability results from Synack to Microsoft Defender for Cloud and Microsoft Sentinel puts all of your vulnerability information in one place in a format that Microsoft Azure users are accustomed to seeing. There’s no need to log into another tool or become familiar with another report format in order for security engineers and managers to determine the health and security of their networks. Security teams can take appropriate action and update vulnerability status right in the Microsoft tool.

This capability becomes even more critical as Synack continues to expand its Microsoft Azure-specific testing portfolio, including continuous testing for Microsoft Azure and the Microsoft Azure Security Benchmark Campaign.

You can choose the sync cadence, and you can visualize your vulnerability data using Microsoft Defender for Cloud’s graphs and charts. You’ll get a high-level overview of vulnerability information, such as status, and can track these changes over time. For any assessment, you can see the associated vulnerabilities, and for more detailed information, you can link directly to the full vulnerability info provided in the Synack Client Portal. Any new vulnerabilities will automatically sync and populate into Defender for Cloud and newly discovered vulnerabilities will automatically sync and populate incidents into Microsoft Sentinel where they become part of a holistic security view. Executives or anyone else who wants to see this vulnerability or incident information can do so in Microsoft Azure display screens.

Integration Is Easy

Synack provides the custom Microsoft Azure Workbook with Synack Vulnerabilities data within your Microsoft Defender for Cloud. A backend application hosted on Synack premises provides a Custom Endpoint for the Workbook. Synack provides the default template for the Synack Vulnerabilities workbook. You can further modify the looks of your workbook, or use the endpoint to create new workbooks. It’s up to you how you want to view and manage the exploitable vulnerabilities.

Synack makes the integration easy. All you need to do is create a Synack API token and then deploy the Synack Workbook ARM template to Microsoft Defender of Cloud. After that you can access your workbook in Microsoft Defender for Cloud. Each time Synack performs a vulnerability assessment, the results will be displayed in the Microsoft Defender for Cloud workbook.

For Microsoft Sentinel, Synack provides a data connector to synchronize the vulnerability data from your Synack account. The data synchronization is performed by a Microsoft Azure Function that uses both Synack and Microsoft Sentinel APIs to pull the Synack data over to Microsoft Sentinel. Once you deploy the data connector you will start seeing new incidents in Microsoft Sentinel created from the Synack vulnerabilities. If the status of a Synack vulnerability changes, the status of the corresponding Microsoft Sentinel incident will be updated accordingly.

Now You Have a Holistic View of Your Network Security Posture

To help reduce time-to-resolution, Synack’s integrations to Microsoft Defender for Cloud and Microsoft Sentinel give you a holistic view of your network’s health and security posture encompassing all your exploitable vulnerability information, including the results of Synack penetration testing, in one place in familiar Azure screens.

On-demand Testing for Cloud Configuration with Synack Campaigns

Synack Campaigns provide on-demand access to the Synack Red Team for completion of targeted security tasks, augmenting internal teams while solving for the cybersecurity talent gap. The Azure Security Benchmark Infrastructure Campaign provides Synack researcher testing against Azure security controls. This Campaign will utilize a researcher with the right skills to provide a true adversarial perspective against your Azure services, and will validate your ASB status seen in Microsoft Defender for cloud.

For information on Synack’s partnership with Microsoft, learn more here.

The post Synack Strengthens Integration to Microsoft Azure to Help Protect Hybrid Clouds appeared first on Synack.

The U.S. Department of Health and Human Services (HHS) draws on Synack’s trusted security researchers and smart pentesting platform to stay nimble in the face of fast-moving cyberthreats. 

With 84,000 federal employees, the agency’s sheer size poses challenges when it comes to addressing the cyber talent gap or pentesting its most critical networks. It’s the largest U.S. civilian agency by spending.

“We have an enormous footprint on the internet,” said Matthew Shallbetter, director of security design and innovation at HHS, during a webinar Wednesday hosted by Synack. “Across the board, HHS is both vast and well-known – and so a good target for troublemakers and hackers.” 

He cited constant cyberthreats to the National Institutes of Health, HealthCare.gov and the Centers for Disease Control and Prevention – some of the most recognizable federal research centers and government services. All those resources fall under HHS’s purview.

So how does the agency hire for mission-critical cybersecurity roles, stay on top of shifting zero-trust requirements and satisfy the need for continuous security testing?

Shallbetter shared his insights with Synack’s Scott Ormiston, a federal solutions architect who’s no stranger to the challenges facing public sector organizations globally.

With an estimated 2.72 million unfilled cybersecurity jobs worldwide, government agencies are struggling more than ever to meet diverse infosec hiring needs.  

“Attackers are responding so much faster today than they were even five years ago,” Ormiston pointed out. “In the time that a vulnerability is released to the public, within minutes of that release, attackers are out scanning your systems. If you don’t have enough skilled personnel to run a continuous testing program and to continuously be looking at your assets, how do you address that challenge?”

Here are a few themes and highlights from the webinar:

Continuous pentesting is a must

It can take weeks to spin up a traditional pentest to find and fix urgent software bugs. Meanwhile, bad actors almost immediately start scanning to exploit those same vulnerabilities, whether they’re blockbuster flaws like Log4j or lesser-known CVEs.

Against that backdrop, traditional pentesting clearly falls short. But is continuous pentesting realistic?

“The short answer is yes, because your adversaries are doing it every day: They’re continuously testing your environment,” Ormiston said.

Shallbetter noted that HHS has its own set of pentesting teams that are centrally located and focus on high-value assets. But there isn’t enough in-house talent to keep up with regular testing, scanning and patching.

“If we could focus on what’s really, really important and test those [assets], we might have enough bodies,” he said. “But it’s really a challenge to try to patch vulnerabilities… The footprint never shrinks; it’s always expanding.” 

To augment his own agency’s workforce capabilities, Shallbetter pulls from Synack’s community of world-class researchers. The diverse members of the Synack Red Team (SRT) allow HHS security testing to keep up with rapid software development cycles and the unrelenting pace of digital transformation.

HHS led 196 assessments using Synack’s platform, adding up to over 45,000 hours of testing on its perimeter services as part of an established vulnerability disclosure process.

There’s no match for human insight

That adds up to a lot of actionable data.

“We really couldn’t have done the VDP the way we did… without using a centralized platform like Synack,” Shallbetter said. “The human insight was key.”

He pointed out that HHS has automated tools across the board to help developers weed out vulnerabilities and drive down risk.  

But over and over, SRT members would find more.

Shallbetter said his favorite examples are when a system owner engages the Synack Platform to validate that HHS has really fixed a vulnerability. “They ask for a retest and the researcher says, ‘Oh, I did X, Y, and Z, but I did it again…’ And the system owner says, ‘Wow, that’s really cool.’”

Those exchanges also build trust between the SRT community and HHS developers who appreciate researchers’ ability to find the vulnerabilities that matter, cutting through the background noise of automation. An average of 30 SRT members contribute their expertise to each HHS assessment, according to Shallbetter.

“When you put a bunch of humans on a target, even if it’s been scanned and pentested by an automated tool, you will find new problems and new issues,” he said.

Zero trust is no longer just a buzzword

The White House early this year unveiled its highly anticipated zero trust strategy, M-22-09, which set federal agencies on a path to achieve a slate of zero-trust principles.

Those five security pillars include identity, devices, applications and workloads, networks and data.

“It’s great to have this architecture,” Ormiston said of M-22-09. “But this also means additional stress on a cyber workforce that’s under pressure.”

Zero trust is a “hot topic” at HHS, as Shallbetter noted.

“It doesn’t feel like a marketing term; people are really beginning to understand what it means and how to implement it in certain ways,” he said.

And pentesting has emerged as “a significant part” of meeting HHS’s zero trust goals. 

“I do think the scope and scale of technology now means the real vision for zero trust is possible,” he said. “For HHS, penetration testing has been an important part of speeding our deployment processes.”

Agencies have until the end of fiscal 2024 to reach the pillars of the zero trust paradigm described in the White House memo.

In the meantime, Synack will continue working as a trusted partner with HHS, delivering on-demand security expertise and a premier pentesting experience.

“I love being able to sort of toss the schedule over the fence and say, ‘hey, Synack, we need four more [assessments], what are we going to do?’—and have it happen,” Shallbetter said.

Access the recording of the webinar here. To learn more about why the public sector deserves a better way to pentest, click here or schedule a demo with Synack here.

The post Inside the Biggest U.S. Civilian Agency’s Pentesting Strategy appeared first on Synack.

The Black Hat cybersecurity conference celebrated its 25th birthday in Las Vegas this week – and Synack was there to mark the occasion in style.

We staged a safari adventure in the Black Hat Business Hall, replete with hanging vines, lush foliage, cheetah swag and the sounds of the jungle. We showed attendees how our security testing platform can be their trusted guide by offering access to our highly skilled, vetted and diverse crew of Synack Red Team security researchers.

When it comes to cybersecurity, it’s a jungle out there. Black Hat speakers drove home just how tangled and daunting the threat landscape has become.

“Things are going to get worse before they get better,” said Chris Krebs, inaugural director of the Cybersecurity and Infrastructure Security Agency, who delivered Black Hat’s keynote Wednesday. “The bad actors are getting their wins, and until we make meaningful consequences and impose costs on them, they will continue.”

Krebs, a founding partner of the Krebs Stamos Group cyber consultancy, also spoke to the urgency of the talent gap in cybersecurity that stands at an estimated 700,000 infosec pros in the U.S. alone and at least four times that number globally.

“It’s been confounding to me how we continue to face workforce shortages,” Krebs said. “We hear about the 3 million open cybersecurity jobs in the community, and I’m just trying to figure out why are we not solving the gap.”

Here are some other themes to emerge from this year’s talks:

• Ransomware remains a top-tier threat. To coincide with Black Hat, the U.S. State Department announced it’s offering a $10 million reward for information on several members of the Conti ransomware gang, which has wreaked havoc in U.S. healthcare and emergency services networks.
• The COVID-era digital transformation is here to stay. Underscoring that point, organizers held Black Hat in a hybrid format, with some infosec pros visiting Las Vegas in person and others tuning in online. (We followed suit, offering a Synack virtual booth experience – though remote attendees missed out on smoothies and Jungle Juice at our tiki bar.) COVID has spurred a rush to the cloud, introducing new challenges and vulnerabilities as employees log in from home.
• API security is a leading concern for CISOs. No one said securing application programming interfaces would be easy. From misconfigurations to vulnerabilities, APIs present a deluge of cyber risks despite being the beating heart of many modern applications. The Business Hall was abuzz over API security, but no one seems to have cracked the code as new breaches crop up seemingly every day.
• The pace of DevOps calls for constant security testing. The continuous integration and continuous deployment (CI/CD) pipeline empowers developers to make fast and efficient changes to their code, removing bottlenecks by automating the process as much as possible. But CI/CD pipelines now “control so much” that they’re upending the cyber risk environment for many organizations by introducing supply chain vulnerabilities, Chris Eng, chief research officer at Veracode, said in a closing panel yesterday. “It’s a different threat model than 10 years ago, when all you had to worry about was being attacked directly, or individually,” he said.
• Log4j is simple to exploit but still hard to find. The bombshell Log4j vulnerability sent security teams scrambling when it came to light in December 2021. But we’ve hardly seen the last of the critical flaw in the popular open source logging tool. “Easy stuff to exploit got cleaned up, but I think you will continue to see malicious threat actors innovate the way they find and exploit this,” said Heather Adkins, vice president of security engineering at Google, at a Black Hat talk on Log4j. “It will be around for a long, long time.”

Our Black Hat Experience

Synack solutions architect Hudney Piquant spoke to how seemingly secure attack surfaces can be vulnerable tomorrow to long-lasting threats like Log4j. Piquant shared his cyber survival knowledge in “the Cave” at Synack’s Black Hat booth, where members of the Synack Red Team also offered hard-won insights into remediating vulnerabilities that matter.

“To survive, companies need to start discovering their assets, analyzing their assets with a hacker’s perspective and continuously scanning their external attack surface,” Piquant said. “The reason all three of these things are important is because hackers are doing all three things as well.”

We’d like to thank everyone who stopped by our booth, scheduled one-on-one meetings with us in our executive suite at the Delano Hotel or joined us at the many events we organized or attended throughout Black Hat.

We enjoyed some friendly competition in a 9-hole golf tournament to kick off the week, co-hosted an exclusive whiskey tasting with Microsoft, sponsored a reception at the Cosmopolitan with the Retail and Hospitality Information Sharing and Analysis Center and raised a glass with security peers and investors at a happy hour held by GGV Capital and its portfolio partners.

And that’s not to mention our Rainbow-level sponsorship of the Diana Initiative conference that coincided with Black Hat, our many customer and employee dinners, the one-on-one meetings in our suite and the memorable product demos with security practitioners. We also boosted global reforestation by supporting One Tree Planted at our jungle-themed booth. 

If you missed us at Black Hat, don’t worry: Many Synackers and SRT members are sticking around in Vegas for DEF CON, which runs through Sunday! Look out for the security pros wearing swanky tuxedo shirts, in line with DEF CON’s “Hacker Homecoming” theme. And you can always click here to schedule a demo to learn how Synack’s platform can help deliver a better security testing experience.

In the meantime, we wish you luck as you continue your journey through the cyber wilderness!  

The post Synack at Black Hat: Leading You Through the Security Jungle appeared first on Synack.

Planning Ahead to Pentest APIs Can Secure Communications and Save Development Time

What Are Application Programming Interfaces?

Application Programming Interfaces (APIs) are the workhorses of the internet. They facilitate the efficient communication of information between applications. They improve connectivity and help in building modern architectures. When an application makes a request to another application over the internet, chances are that those applications are communicating through an API. 

Organizations are rapidly adopting APIs to deliver service and data, both internally and externally. API requests in 2021 comprised up to 83% of all internet traffic. And developers are using them more each year. API traffic grew 300% faster than traditional web traffic in 2020 and hits are expected to reach 42 trillion by 2024.

API Security Issues

APIs provide developers with powerful interfaces to the organization’s services. But while facilitating communication, the explosion in API use has broadened the attack surface available to hackers. It even spurred the Open Web Application Security Project (OWASP) in 2019 to put together a top 10 checklist for developers. In 2021, 95% of organizations running production APIs experienced an API security incident, according to a survey of 250 companies. Yet, 34% of these organizations report that they don’t have any API security strategy and slightly less than 27% report having only a basic strategy. Unmanaged and unsecured APIs are extremely inviting to attackers. In 2022, API abuse is predicted to be the most frequent attack vector for web applications. 

Shift Left with API Testing

API testing is critical. And the earlier in the development process testing can be done, the better. Almost two thirds of surveyed organizations have had to delay new application rollout due to concerns with API security. In any development project, testing early in the development process–“shifting left” in industry parlance–saves development time and cost. APIs are no exception. You need to test not only for functional problems but also for security issues. Security testing can complement web application penetration testing by directly testing functions not accessible via external GUIs. And early testing can influence the development of functionalities, informing developers and designers about what is feasible and what the risk is with each planned function.

Traditional Application Testing vs. API Security Testing

Your API security testing program needs to recognize the differences between web application testing and testing an API directly. While classical web application security deals with threats such as injection attacks, cross-site scripting and buffer overflows, API breaches typically occur through authorization and authentication issues. The problems are most often in the business logic and loopholes in the API code. The end result is unintended access.

API Pentesting with Human Expertise

Automated testing solutions like scanners and firewalls only go so far in securing your APIs. Injecting human expertise into the process can take API security to the next level with true offensive testing. But not just any tester can effectively perform pentesting on an API. Security researchers skilled in API testing understand API logic and endpoint functionality, and they can develop tests to identify vulnerabilities. They approach testing with the mindset of an adversarial attacker, testing the API one endpoint and method at a time. And they have the API-specific knowledge to properly interpret testing data, allowing them to do a thorough assessment and provide only exploitable vulnerabilities, minimizing false positives. You’ll be identifying security gaps and vulnerabilities in your APIs before they can be exploited by an attacker.

The value that diverse human perspectives bring to your security posture is not to be understated. That’s why the Synack Red Team is integral to providing a true adversarial perspective for your attack surface and bridging the cyber talent gap.

The post Why You Need to Pentest Your APIs appeared first on Synack.

By Justine Desmond

Unemployment in cybersecurity is close to zero percent. If that’s not enough to cause concern, the global shortage of cyber professionals is estimated at 2.72 million individuals. With an economic downturn, there’s also more risk to hiring full-time positions. Whether you already have a pentest offering or would like to sell pentest services, scaling your team of skilled security testers is likely to be a major hurdle.

Synack can help. Synack is one of the world’s largest pentesting providers with an elite team of 1,500 security researchers and scalable technology. Our partners include a wide range of companies from Microsoft, a leading technology powerhouse, to regional partners such as Red River.

The benefits of Synack’s pentest offerings to our diverse partners include:

• On-demand test deployment 
• Talent augmentation 
• Faster revenue growth 

In some companies, pentesting is a bad word that brings to mind disruption, delays and ineffectiveness. Synack has redefined pentesting as responsive, continuous and intelligent.

What does a better pentest experience mean for our partners? 

On-Demand Deployment

Synack’s deployment and scoping process takes days, not weeks or months. As attack surfaces become more complex and dynamic, companies need more flexible testing. Synack can easily meet pentesting demand with an elite crowd of researchers, available 24/7/365. Our ability to quickly increase researchers on target enables Synack to launch tests in 3 days or less. You won’t run into the same scheduling delays with Synack as you would with a traditional pentesting firm. Additionally, Synack has self-service capabilities for existing customers. And it’s not just pentesting that is on-demand: Synack has the ability to address topical vulnerabilities, such as log4j, hours after they make headlines.

Talent Augmentation 

Synack can add more seats to your bench – whether you have an existing pentesting team or not. Synack’s researchers have to complete a rigorous vetting process that includes a criminal background check, video interviews and a skills assessment. These researchers have tactics, techniques and procedures (TTPs) that replicate what attacks look like today – not just a standard checklist. It’s the infosec equivalent of adding 50 Steph Currys to your team on-demand. Additionally, Synack goes beyond compliance by offering value-add features such as Jira and ServiceNow integrations, remediation assistance and researcher communication to help customers fix vulnerabilities and save time.

Faster Revenue Growth

Synack helped increase revenue growth by 800% over five years for one partner. Synack helps partners to increase their growth by providing easy margin. Synack can meet demand at scale with consistent quality, which is what differentiates us in a competitive market. You won’t have to worry about constraints such as talent capability, capacity and cost. 

If you’re interested in launching or expanding your pentesting business, look no further than Synack. Our work with over 400 customers speaks volumes about our reputation. Additionally, we work closely with many partners across the US, Europe, and Asia. If you think that Synack could be a helpful partner for you, please visit the Synack Partnerships microsite.

The post How Partners Increase Their Offerings and Revenue Growth with Synack appeared first on Synack.

Why You Need to Pentest Your Cloud Implementation and What’s Different From Normal Pentesting

Security Breaches in Cloud Systems

Most businesses today perform at least some of their compute functions in the cloud. For good reason. Processing in the cloud can lead to increased productivity while reducing capital and operational costs. But, as with any computer system, there can be holes in security that hackers can exploit. In 2021, the average cost was $4.8 million for a public cloud breach, $4.55 million for a private cloud breach, and $3.61 million for a hybrid cloud breach. 

Breaches can also lead to the exposure of customer records. In May 2021, a Cognyte breach exposed 5 billion customer records. Perhaps the most high profile breach was at Facebook. In April of that year, hundreds of millions of customer records were exposed. Cloud customers need to be mindful of cloud security and take necessary steps to protect themselves.

What is Pentesting?

Penetration testing, or pentesting, is a well-proven and critical component of any organization’s cybersecurity program. In a pentest, a trusted team of cybersecurity researchers probes your IT systems for vulnerabilities that could allow them to breach your defenses, just as a cybercriminal would do. The result of the pentest is a report on your cybersecurity posture, including vulnerabilities that need to be remediated.

Pentesting methods and practices were primarily developed with on-premises systems in mind. But today, organizations are moving more of their compute processing and data storage to the cloud. So you might ask – Is pentesting necessary for my cloud implementation?  Can you even do pentesting in the cloud? The answer to both questions is a definite yes.

Why You Need to Pentest the Cloud

Whether you are using the cloud for IaaS (Infrastructure as a Service), Paas (Platform as a Service) or SaaS (Software as a Service) cloud usage is essentially a shared responsibility model where both the Cloud Service Provider (CSP) and the tenant share certain responsibilities, including cybersecurity. There are several potential risks and vulnerabilities that are inherent in using cloud services, such as the extensive use of APIs for communication, the potential for misconfiguration of servers and the use of outdated software or software with insecure code. If not remediated these vulnerabilities could lead to a breach. The top concerns of cloud operation are data loss, data privacy, compliance violations and exposure of credentials.

Pentesting in the Cloud

The big difference in pentesting your own system and pentesting in the cloud is that you are actually testing someone else’s system. In public and hybrid cloud implementations, in addition to shared responsibility considerations, you also have shared resources considerations. You don’t own the cloud resources, so you need to create your testing process to operate within the CSP environment.

Challenges Specific to Cloud Pentesting

While offloading work to the cloud has broad benefits, it also has some drawbacks. One is the lack of transparency. You don’t know exactly what hardware is being used or where your data is stored. This can make thorough pentesting more difficult.  And since you are working with a resource sharing model, there is the potential for cross-account contamination if the CSP has not taken adequate steps to segment users. Most important from a testing perspective, each CSP has its own policy regarding pentesting on their systems.

Working With CSPs for Pentesting

Most CSPs will allow pentesting on their systems…as long as you adhere to their guidelines and restrictions. If you have a multi-cloud implementation, involving two or more CSPs, you need to ensure that you understand the pentesting policies of each. Here are a few of the considerations when pentesting in the cloud.

• CSP Notification: The first thing you need to do is inform your CSP that you will be conducting a test. Otherwise, your efforts could look like a cyberattack. 
• CSP testing restrictions: Often CSPs will have a policy describing which tests you can perform, what tools you can use, and which endpoints can and cannot be tested. 
• The Shared Responsibility Model: Depending if you have an IaaS, PaaS, or SaaS model, you are responsible for security of some cloud components and the CSP is responsible for some. 
• Server-Side Vulnerabilities: Conducting a thorough penetration test might discover vulnerabilities that are on the server side and therefore the CSP’s responsibility. 

Pentest for a More Secure Cloud

Not only can you pentest in the cloud, you need it to be part of your cybersecurity process. Remediating vulnerabilities discovered by pentesting will improve the security of your cloud implementation. It can also help you achieve compliance and give you a more comprehensive understanding of your cloud system. Synack’s approach to pentesting for the cloud addresses the concerns relayed here—you can set up a pentest for your cloud environment in minutes with some of the world’s top cloud security experts. 

The post Pentesting for Cloud Systems: What You Need to Know appeared first on Synack.

By Kim Crawley

The Artemis Red Team, a new subgroup within the Synack Red Team, was formed to encourage women, trans and nonbinary people to excel in their pentesting careers. There are vast numbers of untapped and underrepresented hacking talent in the world, and the Artemis Red Team is actively seeking these individuals out, giving them a home for mentorship and helping them develop their professional skills.

Members of the Synack Red Team, a large group of carefully vetted security researchers who conduct vulnerability testing and bug hunting engagements through the Synack Platform, play an integral role in improving the security of organizations and businesses of many different sizes and across many different industries. 

Women and other gender minorities’ representation remains disproportionately low in tech, which has long consisted mostly of men. For an organization committed to helping solve the cybersecurity skills gap, developing a program to openly welcome women, trans and nonbinary people only made sense. 

“It started from the idea that the women researchers should have their own space, their own group to boost interactions and create a safe place for discussions and guidance among the women,” said ART member BattleAngel (her handle on the Platform). “My involvement in the ART as a researcher and a mentor is that I get to share my knowledge with other women on this team.”

Investing Back into the Community with the Diana Initiative

The Synack Red Team is proud to be a 2022 Rainbow sponsor of the Diana Initiative, one of the most important events and organizations supporting women, trans and nonbinary people in cybersecurity, which takes place in Las Vegas on Aug. 10 and 11, conveniently around Black Hat USA and DEF CON.

During the 2015 DEF CON, a group of nine women came together to talk about their struggles in a male-dominated field and ways they could support one another. From that discussion, the Diana Initiative was born. 

The Artemis Red Team had a similar origin story in that the SRT community managers knew they needed to create a space just for women and gender minorities if they wanted to help grow the number of security researchers. The energy and momentum behind Artemis is palpable. You’ll see some excited Synack, Synack Red Team and Artemis Red Team people at the Diana Initiative this year. 

The Path to Equity 

According to (ISC)²’s Women In Cybersecurity report, women are 25% of the cybersecurity workforce. For the Synack Red Team, creating equitable opportunities for members means ensuring that Artemis members have the ability to level up their skills and learn from each other. Taking on tougher missions means a higher payout or reward. 

Mentorship is a huge aspect of the Artemis Red Team. Member BattleAngel said her proudest moment was being selected by the larger ART community as its top mentor.

“I am glad that they are able to reach out to me in case of any doubts or queries and I can help guide them,” she said. “I’ve always advocated a lot about empowering women and helping them grow their skills, through ART I have been able to do that for all the women in our team.”

To be a part of the Artemis Red Team, all you need is to have a strong skill set and go through the vetting process. BattleAngel described the type of support and development you receive as a member of ART:

“Even if you’re fairly new to this field, I would suggest you just keep your focus on learning more. There are multiple incentives that Synack provides to women researchers—be it in providing special access to targets or hosting various CTF challenges particularly for women researchers—so they can join this amazing team.”

The post Artemis Red Team Empowers Women, Trans and Nonbinary People in Cybersecurity appeared first on Synack.

By Kim Crawley

Not everything that’s called “pentesting” is pentesting. There’s an abundance of different types of security testing and tools that use different methodologies for different stakeholders with differing agendas. Security testing, which includes pentesting and also vulnerability assessment, compliance auditing and other formats, is even broader. We’ll break down the differences between types of pentesting and strategies that are labeled pentesting but are fundamentally different. 

First, what are you testing for?

Are you trying to penetrate a network or computer system like a cyber threat actor, but with permission from the owner for the purposes of discovering security vulnerabilities? Then chances are what you’re doing is pentesting. If you’re using a checklist of security standards of some sort and looking for vulnerabilities without simulating cyber attacks, that’s a vulnerability assessment. It sounds obvious, but some entities try to sell vulnerability assessments by incorrectly calling them pentests. Pentests aren’t “better” than vulnerability assessments–they’re different types of security testing. Each can be the best solution for different problems.

The Flavors of Pentesting

Pentesting is having specially trained people simulate cyber attacks. They can use applications, scripts and even conduct analog activities such as social engineering and physical security pentesting. Its strength and weakness is the people doing the testing and the platform they work on. Without good testers on an efficient platform, the test may not leave the buyer with confidence. Traditional pentesting relies on only the skills of a few people and outputs a readable report, not data. Synack was founded to get the best testers on the best platform for the best pentest possible. A pentest’s output – at least Synack style – is real-time access to findings, remediation information, analytics about testing and more.

Different types of pentesting can be categorized according to which facet of a computer system is being tested. The majors are network pentesting, application pentesting, social engineering pentesting that finds vulnerabilities in people and physical pentesting that finds vulnerabilities in buildings, doors, windows, rooms and the like. 

Pentesting is also categorized according to the information available to the testers. Blackbox testing is done with little to no knowledge of a target from the perspective of an external attacker. Whitebox testing is done with in-depth target knowledge from the perspective of an internal attacker in the target’s IT department. And Greybox testing is in the middle from the perspective of a nontechnical insider. 

There are also other ways to prepare for cyber threats that are different from pentesting. Let’s explore some of them. 

Methodologies for Security Testing (That Aren’t Pentesting)

Breach and Attack Simulation (BAS) based on attack replay or scripting is a relatively recent development in security testing tech. Scripts that simulate specific exploits can be executed whenever an administrator needs to test a particular attack. This way, teams are better trained to know how to spot attack patterns and unusual log activity. When the cybersecurity community discovers new exploits, scripts can be used to simulate those exploits. Note that that takes time, so BAS may not be as current as adversarial tradecraft. The testing-like output is confirmation how many known vulnerabilities with easily scriptable exploits exist in your environment. 

BAS is best suited for testing security responses to ensure teams know how to spot attack patterns and strange attacks in their log systems. This is a great training tool for blue teams but will not result in the discovery of unknown vulnerabilities in general. This shouldn’t be viewed as a pen test replacement and usually the scripted models lag the current adversary tradecraft. 

Bug Bounty welcomes members of the general public under well defined policies to security test your software themselves and submit bug reports to your company according to the principles of responsible disclosure. If a bug can be proven and fits your company’s criteria of a prioritized vulnerability, the bug hunter could be awarded a monetary prize of anywhere from $50 to $100,500, but typical bug bounty rewards are about $200 to $1,000. The amount of money awarded for a valuable bug report is affected by several factors including the size of the company’s budget and user base and the criticality of the bug.

Dynamic Application Security Testing (DAST) is an automated technique, but it’s exclusively for testing working applications. So it’s often a tool used by application developers. DAST is used most often for web applications, but other internet-connected applications can be tested this way too. The targeted application must be running, such as a web application on the internet. The exploits that are executed are dynamic, so they may alter course depending on the progress of penetration. 

Risk assessments are sometimes called threat evaluations. In a risk assessment, your security team collaborates with what they know about your organization’s data assets and how those assets could be threatened, both by cyber attack and by non-malicious threats such as natural disasters and accidents. Risks are identified, estimated and prioritized according to their probability of occurring and the amount of harm that could result.

Static Application Security Testing (SAST) has the same goals as DAST, but for application code before being compiled, not for applications that are running in production mode. If a vulnerability is clear from source code – and not all are – it can be detected by SAST.

Tabletop exercises are mainly for incident response teams, a defensive security function. They can be a fun challenge when done well, and help your incident response group face cyber threats with greater confidence. Specific attacks are proposed in the exercise, and the team needs to figure out how they should prevent, mitigate, or contain the cyber threat. If Capture The Flag is the main educational game for the red team, tabletop is the main educational game for the blue team. The output is a more confident and prepared team. Sometimes, refinements for an organization’s threat modeling also emerge. But actual vulnerabilities will not often be found during these exercises.

These and other newer technologies (artificial intelligence and machine learning in particular) are useful tools for security leaders. Computer software acts faster and doesn’t get tired, but the most flexible thinking comes directly from human beings. 

Computer scientists know that computers can only simulate randomness, it takes a living being to actually be random. And human pentesters, like the Synack Red Team, are the best at simulating human cyber attackers and the serious exploits they regularly find.

For a deeper look at the Synack Red Team and its diverse skill set, read our latest white paper, “Solving the Cyber Talent Gap with Diverse Expertise.”

The post What You’re Missing About Pentesting: 6 Tools That Look Like Pentesting But Aren’t appeared first on Synack.

By Kim Crawley

The Synack Red Team is made up of hundreds of the best pentesters and tech practitioners in the world, hailing from countries across the globe with a variety of skills, who coordinate their efforts to conduct pentesting engagements and other security tests for Synack’s clientele. 

When a large group of ethical hackers work together, they can find more exploits and vulnerabilities than traditional pentesting, which usually consists of two people with two laptops who conduct on-site testing over two weeks. 

But when you have security researchers working as a collective, they are smarter, more adept and more creative. As cyber threats become increasingly sophisticated, the Synack Red Team (SRT) has the advantage of a diverse and holistic talent pool to take on the challenge. 

Not only do the SRT bring a fresh perspective to pentesting, SRT members also help alleviate the widely felt skills gap in cybersecurity. 

>> For an in-depth look at the SRT’s diversity of skills, read our white paper “Solving the Cyber Talent Gap with Diverse Expertise.” 

Whether you’re looking to take your organization’s security testing to the next level or a curious thinker who aspires to have a pentesting career, SRT members gave useful advice and explained how it all works. 

SRT Reduces Noise

Özgür Alp, from Turkey, had a lot of pentesting experience prior to joining the SRT, but working with the growing community of 1,500 security researchers taught him the power of collaboration at scale. 

“When I started at Synack, I had four years of experience as a pentester in a multi-global company,” Alp said. “After joining Synack and working as a full-time SRT member, I see that here we are focusing not only on the theoretical bugs but also trying to find the critical ones that matter and are exploitable within the real world scenarios.”

The gamification of vulnerability finding that happens on the researcher side of the platform means that you get their full attention and focus on finding vulnerabilities that matter. The more critical the vulnerability, the higher the payouts and recognition Synack rewards them with.

“I’m starting to focus on more complex scenarios, since you have time to work for that. For example, I actually learn what a theoretical bug could really mean in terms of business impact,” Alp said.

Applying Prior Cyber Knowledge and Experience 

Emily Liu, like many SRT members, works on the Synack platform part-time. Many SRT already work in a cybersecurity role and use the opportunity to apply the knowledge they’ve learned from their day-time job to their Synack role and vice-versa. 

“It sharpens my skills by allowing me to practice finding different vulnerabilities on real targets,” Liu said. “The whole process of doing work for SRT has taught me to think more creatively and to be more persistent, because you can find bounties so long as you put in the effort.”

But the work of the SRT can only be done with an “adversarial” perspective, from the outside-in. Büşra Turak explained the difference between being an SRT member and an employee or in-house consultant. 

“It is usually enough to show the existence of a finding in consultancy firms that provide pentest services. But we don’t do that here,” she said. “We show how much we can increase the impact of the finding or we need to show how the vulnerability is exploited.”

Taking the “Red Team” to the Next Level

In terms of bug bounties, red teaming and pentesting, Synack’s formula for vetting, monitoring and developing its SRT members puts them in another class of security researcher. SRT members are good at what they do from the start, and they’re also given immediate feedback for continuous improvement.

SRT member Nikhil Srivastava talked about what working with SRT has taught him.

“Initially, my reports were not up to the mark when I had just got into bug bounties. It was sent back to me multiple times for revision,” he said. “But, with the introduction of the Synack Quality Rule, we had to keep challenging ourselves with each new target launch—not only to find vulnerabilities but also to write a quality report that stands out from reports of other SRT members and is clearly understood by the clients. This helped me in leveling up.”

No matter if you’re able to get into the weeds of every vulnerability, a Synack report will thoroughly explain the potential exploit. 

“I started reporting vulnerabilities that could precisely illustrate the impact even to a non-technical person and could be easily replicated by them,” Srivastava said.

If you’re curious about what it takes to join the Synack Red Team, start your journey here. To better understand how the SRT can solve your struggle with the cyber talent gap, read our latest white paper.

The post How the 1,500+ Synack Red Team Members Solve Your Most Critical Cybersecurity Vulnerabilities appeared first on Synack.

Two highly anticipated cybersecurity events last week drew us to the Bay Area and the Capital Beltway: The RSA Conference in San Francisco and the Gartner Security and Risk Management Summit in National Harbor, Md.

Synack had both coasts covered, and we were delighted to reconnect with so many of our customers, partners and colleagues. We showcased how our unique pentesting experience can find the vulnerabilities that matter, keeping urgent threats at bay while bridging the cybersecurity talent gap.

We also brought the party! From rocking out to a Journey cover band in San Francisco to sipping margaritas while soaking in the lights of National Harbor’s famous Ferris wheel, here are some highlights from the two in-person events:

Journey by the Bay 

San Francisco, we missed you! 

The last time Synack hosted RSA attendees at Moscone Center neighbor, Fogo de Chão, was in February 2020, the COVID pandemic had yet to upend life in the U.S. “Zero trust” was just beginning to be a buzzword, and many federal agencies were facing deadlines to develop their first-ever vulnerability disclosure policies. 

What a journey it’s been. After a two-year hiatus and a COVID-related shuffle from its original dates in February 2022, RSA finally came back to the city by the bay bearing the theme, “Transform.”

We were ready to make our own triumphant return to Fogo de Chão, just 98 steps from the conference in Moscone Center. Our “Journey by the Bay” experience kicked off early on Tuesday, June 7, with a breakfast panel celebrating women in cybersecurity. (Read more about the inspiring event here.) 

The discussion highlighted Synack’s Inclusive company value: “Diversity is at the core of what we do at Synack, and it’s made its way into our culture as well,” Synack Chief Marketing Officer Claire Trimble said at the breakfast. 

During the day, RSA attendees stopped by to see Synack in action, discovering how we are bridging the talent gap with on-demand security talent from our elite Synack Red Team. We showed off our On-Demand Security Testing Platform, which gives organizations a central view of all pentest assessments and offers easy-to-digest reports and metrics to track progress over time (and meet compliance requirements). And we highlighted Synack’s wide-ranging contributions to the cybersecurity media landscape through the README news site, the weekly Changelog newsletter and the We’re In! podcast.

As RSA let out and the lights went down in the city, we hosted Journey tribute band Forejour, who played hits like Don’t Stop Believin’ and Any Way You Want It. Our guests enjoyed more than a few rounds of caipirinhas – not to mention Fogo de Chão’s legendary barbecued meats. 

On Wednesday morning, Synack CTO and co-founder Mark Kuhr led a breakfast discussion on “A Better Way to Pentest,” demonstrating how Synack combines the best of human intelligence and machine intelligence to offer a peerless pentesting experience.

As the conference started to wind down, we gathered for one last happy hour to toast to a successful event. We also streamed Game 3 of the NBA Finals to (mostly) cheer on the Warriors.

Throughout the week, guests had the chance to get to know many of Synack’s sponsors, including Accenture Federal Services, Arkose Labs, AttackIQ, Bolster, Netography, Netskope and SynSaber. We’re grateful for their support and can’t wait to see them at future events! 

Embracing change at Gartner 

Meanwhile in National Harbor, the Gartner summit returned to an in-person format for the first time since 2019, highlighting the latest actionable research and advice for security leaders.

Wednesday saw Synack CEO and co-founder Jay Kaplan present on “Staying Secure in the Midst of a Talent Crisis.” Kaplan shared how he and Kuhr launched the company to help organizations struggling to find the right talent to fend off constantly evolving cyberthreats.

“We do things differently by leveraging a global crowdsourced network of highly vetted security researchers in over 90 countries to perform on-demand and continuous testing to discover every vulnerability that matters,” Kaplan said. 

As trends in digitization and automation drastically expand the attack surface visible to cyber adversaries, security systems and testing must change to keep up, he pointed out.

Organizations facing increasingly sophisticated threats “are being scanned every day—they just don’t get the report,” Kaplan said.  

That evening, Synack hosted a Fresh Air Fiesta at Rosa Mexicano, steps from the Gartner show floor at the Gaylord National Resort & Convention Center. Over margaritas and massive bowls of guacamole, we met with customers and made many new connections. 

Between the two major infosec events, it was an epic week for all of us at Synack. We’d like to thank everyone who joined us or followed along on social media! 

The post A Tale of Two Conferences: Synack Stood Out at RSA and Gartner appeared first on Synack.

This morning, Synack gathered a distinguished panel of women in cybersecurity to share their perspectives on the cybersecurity talent gap and offer lessons for supporting the next generation of women leaders.

Men still outnumber women by three to one in the cybersecurity industry, according to a recent (ISC)² report, despite evidence that a more diverse workforce drives better business and security outcomes. While executives at many organizations have acknowledged the problem, they’ve often struggled to find actionable solutions to address this talent gap.

At Fogo de Chão, steps away from the RSA Conference in San Francisco, Synack hosted Kiersten Todt, Chief of Staff at the U.S. Cybersecurity and Infrastructure Security Agency; Betsy Wille, Chief Information Security Officer, Abbott; Tiffany Gates, Senior Managing Director for the National Security Portfolio at Accenture Federal Services; and Edna Conway, VP, Security and Risk Officer, Azure Hardware Systems and Infrastructure at Microsoft, for an intimate conversation moderated by Jill Aitoro, SVP of Content Strategy at the CyberRisk Alliance.

Among the insights from the panel: It’s one thing to hire top talent, it’s another to make women feel like they belong at an organization. And security leaders will need to shake things up to meet aggressive goals like CISA’s plan to have women represent 50% of the agency’s work force by 2030, up from about 36% now.

“We have to be ambitious. We have to be disruptive, because the only way we’re going to get there is by undoing some of the things we’ve done today,” Todt said.

Other key takeaways from Synack’s Celebrating Women in Cyber Breakfast:

Start early

 “We need to be bringing this terminology, this language, to kids in elementary school,” Todt said. “We have to surround them with this field so that they’re able to pull these factors in and grow up with it, so when they’re in high school, they can see the interest they have in these areas.”

Educational institutions will have to move fast to meet the talent needs of a rapidly evolving sector like cybersecurity.  

“I do think there’s a huge opportunity to grow this field much more substantively than we have, because it actually encompasses everything that we do,” Todt said. “There is no greater field that should truly represent the planet.”

Empower advocates

Gates of Accenture, who described herself as “terrible” with numbers, reached out to mentors in a range of fields while forging her own career path.

“Don’t flop toward someone who is just like you,” she said. “I want to be mentored by someone who was in the finance shop, just to better understand the kinds of obstacles and challenges they were dealing with.”

Conway, who said she’s currently a mentor to 14 people, pointed out that advocates like her “need to listen more than we speak, because each of our colleagues comes to the table with something different.”

Build a different kind of pipeline

Heavy turnover in the cybersecurity field has opened important conversations on alternative hiring pipelines, said Wille of Abbott. “We’re in better company than maybe we were a couple years ago in pushing the idea that the traditional means of education are not going to be the only places we can look. We’ve seen that improve,” she said.

Wille pointed out that a few months after starting work at Abbott, she was able to onboard someone who showed initiative but had no college degree on file because the company had enabled that level of hire. The employee has since been promoted, and Wille said she would “hire 10” just like her if she could.

Still, challenges persist in areas like security clearances, which can be integral to a federal cybersecurity career but trip up many candidates.

“When we talk about how hard it is to find women that we can bring in, now take 20% of that available pool,” Gates said. “That is what I have to work with, because the number of cleared resources in this community just decimates the number of women that I have available to choose from.”

Commit to learning

 “Talent doesn’t come in one container, it doesn’t come with one linear trajectory,” Todt said. “We have to do a better job opening up the aperture.”

Poorly written or overly demanding job descriptions can turn away prospective candidates at the front door. Instilling the courage to apply in the first place is key, but that’s not the end of the story.

“It’s not just to have confidence, but quite frankly to step up and be willing to do the work to figure out what you need to learn and go learn it,” said Conway, who pointed out that she has a degree in medieval renaissance literature but built her career in tech by continuously asking questions. “The burden falls on each and every one of us… Reach out, pull up, help, kick in the derriere when needed and do it with care, do it with humility, and you’ll be amazed what happens. We are a powerful force together: Never forget that.”

For more information about how Synack is tackling the cybersecurity talent gap, check out our white paper “Solving the Cyber Talent Gap with Diverse Expertise.”

The post Building a Bigger Tent in Cybersecurity: Lessons from Synack’s Celebrating Women in Cyber Breakfast appeared first on Synack.

The post Synack expands executive team, adds top cybersecurity talent as business surges appeared first on Synack.