This week, Ed Amoroso, Former SVP and CSO of AT&T and now CEO of TAG Cyber, LLC released the first TAG Cyber Security Annual featuring Synack as a distinguished vendor, and available for free download here. In the blog within a blog below, Ed briefly discusses how he was first introduced bug bounty programs, and how he has come to realize that Synack doesn’t fall into the category of your typical bug bounty program.
Hackers and Managers . . . Not Always So Perfect Together
Posted by Dr. Edward G. Amoroso
The first time I ever heard about bug bounty programs was from my friend Eric Grosse at Google. He explained to me how they were doing really creative stuff at the time – several years ago – providing payment to hackers who found interesting security vulnerabilities that required fixing. I was intrigued to say the least.
Fast-forward to today, and while bug bounty programs are so clearly useful for spotting vulnerabilities, they remain one of the most often-missed and frequently avoided elements of a successful enterprise cyber security program. So many companies still do not have an active bug bounty program, and no compliance manager or regulatory official ever seems to think this is even a problem.
And I think I know why . . .
Bug bounty programs, if done poorly, can be messy as heck – with potentially ugly side effects. Furthermore, if a bug bounty is run really badly, the consequences can be worse than ugly: They can cause business problems. Take for example the hapless bug bounty team that challenges hackers to “have at it on our Website.” This kind of loose guidance will certainly wreak havoc on the target site, probably leaving a bad taste in everyone’s mind.
When I began researching my 2017 TAG Cyber Security Annual, which was released for download today (9/8), I started looking at various models that supported proper vulnerability management using external talent. And one model that impressed me greatly was the one I found at Synack. Referred to by the team as crowdsourced vulnerability management, the Synack approach involves carefully vetted researchers who create all the fine elements of bug bounty programs, but under conditions that can be carefully managed. As I looked more closely under the hood, I became even more convinced that this was a fine approach.
Why is this important?
Well, hackers and managers are going to need to find a way to break bread together. Hackers – ahem, I mean researchers – have the ability to find subtle problems and managers need to have this done. Collaboration between the two groups is only going to happen under conditions where the hackers can be creative and the managers can have control. The Synack model seems to support both. Have a look – it might be just what the doctor ordered.
As Ed clearly hit on in his post, leveraging hackers to find vulnerabilities that evade machine and static groups of pen testers, can undoubtedly be an effective addition to any organization’s existing security infrastructure. Maintaining application and network security requires constant vigilance from a diversity of “attacker” perspectives – hence the birth and evolution of the bug bounty program. Crowdsourced red teams or hacking communities can augment internal security teams with hundreds, possibly thousands, of security researchers for application security and penetration testing purposes. And as breaches continue to increase in both frequency and scale across the globe, organizations are increasingly finding themselves in search of security solutions that can keep up with not only the pace of digital transformation – but also the evolving adversarial landscape – crowdsourced security programs can do just that – but it’s important to pick a program that best meets your business needs.
Here at Synack, we don’t necessarily call ourselves a bug bounty program, we like to describe our solution as a Crowd Security Intelligence Solution. Our model shares the crowdsourced, incentive-driven, and adversarial components of most bug bounty programs but with technology, operations and a business model that makes it possible for every company to deploy easily and effectively.
Unlike the typical public bug bounty program, Synack cultivates a diverse and private community of highly curated security researchers. We refer to this group of experts as the Synack Red Team (SRT), 100% of whom have been carefully vetted for both skill and trust. Their activity is continuously captured and monitored through LaunchPoint, our full packet-capture gateway technology that tracks all researcher activity and provides complete accountability, a characteristic unmatched by commercial bug bounty programs. This combination of highly vetted security researchers, combined with an auditable activity record, provides full transparency and sufficient technical controls for even the most conservative organizations to take advantage of crowdsourced security testing for sensitive applications and internal environments.
Essentially, we at Synack have developed a dynamic crowdsourced security solution that brings together the most advanced and highly-vetted security researchers in the world with proprietary technology to mimic attacks and discover vulnerabilities that real-world malicious hackers could leverage to gain access to IT systems. Synack’s crowdsourced security testing solution optimally pairs humans with machines to provide the enterprise with a truly scalable, continuous, hacker-powered approach to identifying and mitigating critical vulnerabilities in a controlled and trusted manner.