02 April 2018

Have Your Security and Get Compliance Too

Mark Kuhr

They say you can’t have your cake and eat it too. But if effective security and compliance are cakes (don’t we all wish!), now you can with Synack Crowdsourced Penetration Testing. We’re pleased to introduce our new offering—Crowdsourced Penetration Testing (CPT)—as a two-in-one true security and compliance deal, a deal the security industry hasn’t offered until now.

The Old Rules of Compliance

In the early 2000s, regulatory standards like PCI were created as a collective method to set standards for cybersecurity best practices. In the early 00s, the financial industry recognized a trend that as online payments (driven by the ecommerce boom) skyrocketed, security breaches went up with them. PCI DSS was a set of security standards created in 2004 by major credit card companies as a way to answer credit card fraud issues that were brewing across the industry. Any organization that handled payment processing had to comply with the new standard.

The concept of PCI was cutting edge in the 2000s. However, as modern adversaries become more technical, creative, and sophisticated than they were 20 years ago, they continue to prove the inadequacies of stand-alone compliance as an effective strategy for security.

Taking Compromise out of Security Decisions

More innovative, incentive-based models are proving to be more effective than compliance-based tests at finding unknown vulns and preventing breaches. Organizations have started adopting crowdsourced, bug bounty-based security testing in droves over the past few years.

We all know that compliance alone won’t keep us safe from a breach. But we still don’t want to face fines and fees from regulatory bodies, run the risk of bad media mentions, and lose customer trust by not complying. Because of the changing nature of cyber threats and cyber solutions, security testing has split into 2 camps: effectiveness (don’t get breached mentality) and compliance (don’t get caught mentality). Organizations often find themselves choosing between pen tests and bug bounty programs.

Here at Synack, we started asking, “Why not both?” and “Why compromise?”, which led us to create a “Zero Compromise” solution. Synack’s new Penetration Testing solution adds to our core offering of Vulnerability Discovery, but now includes compliance-centric security checks based on PCI and OWASP guidelines. Each check seeks a specific potential weakness, and documents what was done to find it. These are checks made by security experts on the Synack Red Team (SRT). We added compliance, but the same unstructured, bug bounty-incentivized hunt for unknown vulns still remains.

Synack is excited to be at the helm of changing the status quo of cybersecurity practices. We want to enable organizations to continue following the rules, and we also want to empower them to be more effectively secure. We want to help our customers get to a “zero compromise” operating level when it comes to their security.


Why use Synack Crowdsourced Penetration Testing?

Organizations seeking to meet the external penetration testing requirements of PCI will receive a comprehensive report of testing actions and results via Synack. Delivered through our top-end Crowdsourced Penetration Testing, clients receive:

  • Report for Compliance – Get the proof you need for PCI DSS compliance requirements. Section 11.3 mandates use of external penetration testing and Synack CPT delivers that in a form that’s easy for your auditors, QSAs, and security team to use.
  • Speed – On a tight deadline? Synack can get your compliance work started the same day using the worldwide, trusted, and tested Synack Red Team.
  • Quality Results – The Synack Red Team is the most exclusive group of security researchers in the world. Backed with Synack’s Hydra software, they have the resources and the skill to find vulnerabilities and rigorously document security checks.
  • Process Improvement – Synack CPT reports weaknesses and vulnerabilities that are easy to fix forever with training, software, and/or process changes. Reduce your risk forevermore.
  • Vulnerability Discovery – Get Vulnerability Discovery in addition while the compliance lists are being checked off. Synack tends to find more severe vulnerabilities than competing bug bounty platforms, making you safer.

Interested in learning more? To find out more, read about it here, sign up for our upcoming webinar or Contact Us.