Synack and Coalfire compliance
25 July 2018

Synack and Coalfire – How to Crowdsource PCI Compliance Testing

Rajesh Krishnan

Synack and Coalfire complianceCoalfire recently completed an evaluation confirming the suitability of Synack’s Crowdsourced Penetration Testing product for the needs of PCI DSS 11.3. That evaluation is now available for download (PDF).

Who Do You Trust? And How Much Do You Trust Them?

Much of the security industry relies on conferred trust. For example, digital certificates issued by trusted parties are used to establish trust for digital content. If a public key has an appropriate digital certificate, it can be trusted. That opens up trust to anything appropriately signed by that digital key from that point onwards.

Traditional penetration testing has held that role, largely for compliance purposes. If you passed a pen test (the logic went), you were compliant. But what became clear was that compliance is not security. Security breaches usually occur due to humans, process failures, or novel vulnerabilities – not the very basics that usually end up in compliance tests. Security testing needed to expand to cover the needs of compliance requirements and to truly improve security at the same time. Truly improved security comes from transforming organizations’ security knowledge and practices through insights, data, and real-world attack simulations.

Synack has added compliance-style testing to our vulnerability discovery testing, to give our customers an all-in-one, efficient, and results-packed crowdsourced penetration test. But, to be sure we didn’t miss anything, we engaged Coalfire to perform a deep dive into our technology, processes, and outputs. Coalfire is one of the largest, if not the largest, compliance-focused testing firms with a long history of assisting companies with their security services. By evaluating Synack’s new approach to penetration testing, they help demonstrate that Synack’s unique method of crowdsourcing meets the compliance requirements of traditional penetration testing.

Don’t Settle for Just a Bug Bounty or Just a Penetration Test – Have It All

Traditional penetration tests don’t properly incentivize testers to look for hard-to-find vulnerabilities – which is essential to real and effective security. Synack does. Non-Synack Bug Bounty companies do not document checks for weaknesses – an essential component to security reviews and compliance testing. Synack does. A complete penetration test means no compromise between finding true positives (vulnerabilities) and true negatives (checklist-style weakness checks).

We’ve conducted thousands of compliance-related checks for our customers already, each one paving a new path to complete, converged security testing. We hope you read the Coalfire paper then contact us to see how you can begin your compliance journey with Synack.

Download the paper.