The U.S. Department of Health and Human Services (HHS) draws on Synack’s trusted security researchers and smart pentesting platform to stay nimble in the face of fast-moving cyberthreats. 

With 84,000 federal employees, the agency’s sheer size poses challenges when it comes to addressing the cyber talent gap or pentesting its most critical networks. It’s the largest U.S. civilian agency by spending.

“We have an enormous footprint on the internet,” said Matthew Shallbetter, director of security design and innovation at HHS, during a webinar Wednesday hosted by Synack. “Across the board, HHS is both vast and well-known – and so a good target for troublemakers and hackers.” 

He cited constant cyberthreats to the National Institutes of Health, HealthCare.gov and the Centers for Disease Control and Prevention – some of the most recognizable federal research centers and government services. All those resources fall under HHS’s purview.

So how does the agency hire for mission-critical cybersecurity roles, stay on top of shifting zero-trust requirements and satisfy the need for continuous security testing?

Shallbetter shared his insights with Synack’s Scott Ormiston, a federal solutions architect who’s no stranger to the challenges facing public sector organizations globally.

With an estimated 2.72 million unfilled cybersecurity jobs worldwide, government agencies are struggling more than ever to meet diverse infosec hiring needs.  

“Attackers are responding so much faster today than they were even five years ago,” Ormiston pointed out. “In the time that a vulnerability is released to the public, within minutes of that release, attackers are out scanning your systems. If you don’t have enough skilled personnel to run a continuous testing program and to continuously be looking at your assets, how do you address that challenge?”

Here are a few themes and highlights from the webinar:

Continuous pentesting is a must

It can take weeks to spin up a traditional pentest to find and fix urgent software bugs. Meanwhile, bad actors almost immediately start scanning to exploit those same vulnerabilities, whether they’re blockbuster flaws like Log4j or lesser-known CVEs.

Against that backdrop, traditional pentesting clearly falls short. But is continuous pentesting realistic?

“The short answer is yes, because your adversaries are doing it every day: They’re continuously testing your environment,” Ormiston said.

Shallbetter noted that HHS has its own set of pentesting teams that are centrally located and focus on high-value assets. But there isn’t enough in-house talent to keep up with regular testing, scanning and patching.

“If we could focus on what’s really, really important and test those [assets], we might have enough bodies,” he said. “But it’s really a challenge to try to patch vulnerabilities… The footprint never shrinks; it’s always expanding.” 

To augment his own agency’s workforce capabilities, Shallbetter pulls from Synack’s community of world-class researchers. The diverse members of the Synack Red Team (SRT) allow HHS security testing to keep up with rapid software development cycles and the unrelenting pace of digital transformation.

HHS led 196 assessments using Synack’s platform, adding up to over 45,000 hours of testing on its perimeter services as part of an established vulnerability disclosure process.

There’s no match for human insight

That adds up to a lot of actionable data.

“We really couldn’t have done the VDP the way we did… without using a centralized platform like Synack,” Shallbetter said. “The human insight was key.”

He pointed out that HHS has automated tools across the board to help developers weed out vulnerabilities and drive down risk.  

But over and over, SRT members would find more.

Shallbetter said his favorite examples are when a system owner engages the Synack Platform to validate that HHS has really fixed a vulnerability. “They ask for a retest and the researcher says, ‘Oh, I did X, Y, and Z, but I did it again…’ And the system owner says, ‘Wow, that’s really cool.’”

Those exchanges also build trust between the SRT community and HHS developers who appreciate researchers’ ability to find the vulnerabilities that matter, cutting through the background noise of automation. An average of 30 SRT members contribute their expertise to each HHS assessment, according to Shallbetter.

“When you put a bunch of humans on a target, even if it’s been scanned and pentested by an automated tool, you will find new problems and new issues,” he said.

Zero trust is no longer just a buzzword

The White House early this year unveiled its highly anticipated zero trust strategy, M-22-09, which set federal agencies on a path to achieve a slate of zero-trust principles.

Those five security pillars include identity, devices, applications and workloads, networks and data.

“It’s great to have this architecture,” Ormiston said of M-22-09. “But this also means additional stress on a cyber workforce that’s under pressure.”

Zero trust is a “hot topic” at HHS, as Shallbetter noted.

“It doesn’t feel like a marketing term; people are really beginning to understand what it means and how to implement it in certain ways,” he said.

And pentesting has emerged as “a significant part” of meeting HHS’s zero trust goals. 

“I do think the scope and scale of technology now means the real vision for zero trust is possible,” he said. “For HHS, penetration testing has been an important part of speeding our deployment processes.”

Agencies have until the end of fiscal 2024 to reach the pillars of the zero trust paradigm described in the White House memo.

In the meantime, Synack will continue working as a trusted partner with HHS, delivering on-demand security expertise and a premier pentesting experience.

“I love being able to sort of toss the schedule over the fence and say, ‘hey, Synack, we need four more [assessments], what are we going to do?’—and have it happen,” Shallbetter said.

Access the recording of the webinar here. To learn more about why the public sector deserves a better way to pentest, click here or schedule a demo with Synack here.

The post Inside the Biggest U.S. Civilian Agency’s Pentesting Strategy appeared first on Synack.

Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule. 

Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team. 

If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first. 

Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not. 

If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.

This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate. 

If you want to improve the security of your software and app development, here are some tips from Synack customers: 

• Highlight only the most critical vulns to the dev team. The development team has time only to address what’s most important. Sorting through an endless list of vulns that might never be exploited won’t work. Synack delivers vulnerabilities that matter by incentivizing our researchers to focus on finding severe vulnerabilities.

• Don’t shame, celebrate. Mistakes are inevitable. Instead of shaming or blaming the development team for a security flaw, cheer on the wins. Finding and fixing vulnerabilities before an update is released is a cause for celebration. Working together to protect the company’s reputation and your customers’ data is the shared goal. 

• Embrace the pace. CI/CD isn’t going away and the key to deploying more secure apps and software is to find ways to work with developers. When vulns are found to be fixed, document the process for next time. And if there’s enough time, try testing for specific, relevant CVEs. Synack Red Team (SRT) members document their path to finding and exploiting vulnerabilities and can verify patches were implemented successfully. SRT security researchers can also test as narrow or broad a scope as you’d like with Synack’s testing offerings and catalog of specific checks, such as CVE and zero day checks.

Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.

The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.

A Vulnerability in an Oracle WebLogic Server Allows Attackers to Perform Remote Code Execution via HTTP Request

In this installment of Exploits Explained, we’re going to demonstrate a vulnerability in an Oracle WebLogic Server that allows attackers to perform remote code execution via a single HTTP request.

Exploit teardown credit goes to Jang on medium.

To see the vulnerability in action, read on, or check out this video walkthrough:

This vulnerability was recently encountered by one of our Synack Red Team researchers during a web application penetration test. 

Here’s why this vulnerability is such a big deal:

1. It’s a Remote Code Execution (RCE) Vulnerability, which is the root cause of many modern Ransomware attacks
2. It affects a widely distributed application
3. There’s a public exploit available
4. It’s not hard to pull off and requires no authentication

While this particular vulnerability has already been patched, we’ll walk you through how an attacker would be able to exploit this in the wild. 

Oracle WebLogic Server sets an auth flag based on URL paths in requests. Attackers were able to determine the allowed paths via the values set in “WebAppSecurityWLS.getConstraint ()”.  In this attack, the path is set to /css/, and when the web application evaluates the request, it sets the value of “flag unrestrict”  to true. This allows the request to be passed along unauthenticated. The attacker then utilizes the path traversal to access the console.portal endpoint.

The console.portal portion of the web application can use a constructor called ShellSession.exec () which allows for system commands on both Linux and Windows systems.

These commands are sent via an MVEL expression under the handle “com.tangosol.coherence.mvel2.sh.ShellSession”In the publicly available exploit, the MVEL expression contains a function to evaluate the value of an HTTP header value named cmd and uses this value for the command to be executed. As seen here:

The output of the command is then written into the server’s response where the attacker can see the results of the command sent.

The server’s response for the commands whoami and ipconfig can be seen here:

This was patched in the October 2020 Critical Patch Update or CPU. These are some of the affected versions:

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

Organizations running these versions of Oralce WebLogic Server should review logs for HTTP requests made to the console.portal endpoint or any requests containing the double url encoded value for ../ (%252E%252E%252F)

Organizations should also check for any suspicious processes spawned by the application. This typically includes cmd.exe ( for windows) or /bin/sh (for *nix systems).

It’s critical that organizations check to make sure they can’t be compromised by this vulnerability by performing penetration testing. We recommend taking a crowdsourced penetration testing approach for higher quality results and to achieve a true adversarial perspective. 

Stay tuned to the Exploits Explained series for further walkthroughs of vulnerabilities encountered by the SRT in the field. 

Learn more about the SRT, or about Synack’s crowdsourced penetration testing at www.synack.com

The post Exploits Explained Part 2 – Remote Code Execution (RCE) via a Single HTTP Request appeared first on Synack.

Penetration Testing and Formula One Racing – Preparation is Key

By Nathan Jones Director, Customer Success, Synack

In Formula One, the most prepared teams have the best chances of success. Yet, preparation alone isn’t going to clinch a victory. Many factors contribute to crossing the finish line first: track conditions, weather, car setup, strategy changes and updates, as well as driver skill and decision making.

Penetration testing isn’t any different.

Following all the best practices and preparations laid out in our previous blog about getting ready for pentests like a Formula One champ is key, but you can’t truly succeed without smooth execution and deft management throughout the test.

At Synack, we’ve got you covered throughout the entire engagement on our Crowdsourced Penetration Testing Platform before and after our trusted network of security researchers go to work hunting for your vulnerabilities. 

Here’s what to expect throughout the Synack engagement:

• It starts with high-quality, trusted researchers

Your pit team: Researchers’ skills are critically important to the success of any pentest. Because the vulnerability landscape is so broad and diverse, a single researcher — or even a small number of researchers — won’t have expertise across all vulnerability categories to fully test the assets in question. 

That’s the value of the Synack crowdsourced testing platform because we attract the best researchers with a wide variety of skills and backgrounds. This allows large numbers of researchers to bring their experience to bear across the range of vulnerability categories, enabling the most thorough test of the assets in scope.

• Results get collected in a well-designed platform

Right car, right tools: A top-quality vulnerability management platform should underpin any pentest initiative, allowing customers to manage the full vulnerability lifecycle from initial reports, to analyst review, and then onto remediation. At Synack, the customer portal lets your team view vulnerabilities flow through a logical, easy-to-use workflow from discovery to patch to patch verification. 

In addition, our triage process ensures that vulnerability findings passed to the customer are valid, reproducible, high quality and actionable. This allows the customer to focus efforts on understanding the issues and taking appropriate action, saving considerable time and effort.

• Control the testing environment and parameters

Know the course: Some penetration tests can be intrusive and noisy. The Synack experience has been designed to make the process as simple and seamless as possible. It is carried out in a controlled manner to mitigate any sort of impact to client’s everyday business operations. Researchers work from a known source IP to ensure proper monitoring. Customers are encouraged to monitor activity and traffic during the test but we recommend waiting for a formal vulnerability report before any patching. Patching during a test limits researchers’ ability to validate the finding and reward the researcher. 

• Engage with researchers before and after the test

Connected to the pit crew: A testing engagement should not be a fire-and-forget activity. Customers should be looking to provide regular feedback, including information about new releases or changes, areas of scope on which researchers should focus and updates on any customer actions. 

Scope changes are a critical area of communication. A class of vulnerabilities caused by the same underlying issue should be temporarily removed from scope to prevent inundating the client with repetitive findings. We do this at Synack because it reduces noise as well as shifts the focus of researchers to other areas, thus ensuring better coverage.

• Augment manual testing with smart automation

Change out the equipment when needed: Penetration testing harnesses human creativity to create value, but automated scanners are an important tool, as well, to help augment human efforts. Too often, however, security teams have had to accept trade offs, investing in cheap self-service scanning solutions to get broad attack surface coverage. There’s a better way. Smarter technologies built on machine learning principles can make a difference and help scale the testing effort. At Synack, SmartScan®, our vulnerability assessment solution, enables, rather than burdens, security teams by scaling security testing and accelerating their vulnerability remediation processes. SmartScan® combines industry-best scanning technology, proprietary risk identification technology, and a crowd of the world’s best security researchers, the Synack Red Team (SRT) for noiseless scanning and high-quality triage.

• Recognize the possibility of unintended consequences 

Expect the unexpected: Every pentester and testing company seeks to avoid unwanted impact to the customer. Most issues can be avoided by having an accurate scope and researcher guidelines agreed ahead of testing. On the rare occasion that there is an incident, we have a process in place to deal with it immediately.  

• Act on the results

Celebrate your wins, learn from your mistakes: It’s essential that clients act on findings. Just discovering vulnerabilities does not improve an organization’s risk posture. The vulnerabilities should be patched and remediated as soon as possible. Clients should look to monitor and track their risk posture over time using a risk metric such as Synack’s Attacker Resistance Score to chart improvements. 

For long-term testing engagements, clients should not wait until the pentest has completed, but should fix issues and receive confirmation from the pentester that the mitigation was successful throughout the test. 

Verifying compliance with necessary regulations is also a key part of using the results of a penetration test. Synack strongly recommends that clients opt for a testing package that includes checking compliance, including either relevant OWASP categories, PCI DSS 11.3, and NIST SP 800-53. A testing checklist provides auditable documentation for compliance-driven penetration testing requirements.

• Keep on testing 

Always winning: In Formula One, when the race ends, the work isn’t’ over. There are always more races to run and further developments and improvements to make to stay ahead of the pack. 

The same is true in pentesting. As adversaries get more advanced, staying one step ahead in their cybersecurity is more important than ever. Regular pentesting is a key component of this. A client is only as strong as their weakest link, making appropriate pentesting against their entire attack surface critical to remaining cyber secure.

Winning looks like an overall reduction in vulnerability risk. While it’s impossible to eliminate all vulnerabilities, a healthy pentesting cadence will strengthen your security posture over time.

Nathan Jones is Director of Client Operations at Synack. He’s also a huge racing fan.

The post Race Day: Making the Most of Your Penetration Test appeared first on Synack.