Crowdsourcing Security Testing: Synack Takes Protection To The Next Level

When it comes to penetration testing of a network, the old way of doing it is to pass a test.

But with most security breaches, which are the result of human error, process failures or vulnerabilities, the traditional testing methods are not enough - particularly in this environment of heightened risks and bigger payloads for the bad guys.

“Traditional penetration tests don’t properly incentivize testers to look for hard-to-find vulnerabilities – which is essential to real and effective security,” the security company wrote in a blog post this summer. “Non-Synack Bug Bounty companies do not document checks for weaknesses – an essential component to security reviews and compliance testing. A complete penetration test means no compromise between finding true positives (vulnerabilities) and true negatives (checklist-style weakness checks).” The company noted in the June blog that it has already conducted thousands of compliance checks for its customers using its crowdsourcing method.

But potential customers don’t have to take Synack’s word for it. To prove its way of compliance testing is more thorough, it hired Coalfire, one of the biggest compliance testing firms, to perform a deep dive of its technology, processes, and results. Synack said that by evaluating its new approach to penetration testing, Coalfire helped demonstrate that its method of crowdsourcing meets the requirements of traditional penetration testing and then some.

Synack is among a fast-growing crop of cybersecurity companies that are taking protection to the next level. With the old way of doing security still leading to data breaches, ransomware, and malware campaigns, Synack is finding more organizations are turning to ethical hackers to help. It works with a group of security researchers across the world, arming them with a platform to detect vulnerabilities for Synack’s customers.

At the same time that Chief Information Security Officers are considering crowdsourced security testing, the level of trust in these types of services is still not universal.  That has prompted Synack to take a leading role in educating the marketplace, recently releasing a new report for CISOs.

“As crowdsourced security programs gain momentum, education is lagging behind. It’s critical for security team leads to know what they’re getting with an open bug bounty program compared to an invite-only program or a crowdsourced penetration test,” said Jay Kaplan, Synack CEO and Co-Founder in prepared remarks in the spring. “Not all crowdsourced programs are created equal, and organizations should have the knowledge to choose programs that best fit their needs.”