Security operations center (SOC) analysts know there’s a difference between signing up for a self-defense class and walking around wearing a “kick me” sign. The former takes place in a controlled environment with trusted participants who can easily be held accountable for their actions; the latter is an invitation for anyone with a leg to swing it. We’re pretty sure most people with a desire to feel safer, more confident and secure living their day-to-day lives would choose the self-defense class.
Organizations looking to improve their security posture often have to make a similar decision between working with a Penetration Testing as a Service (PTaaS) provider and setting up a bug bounty program. That decision would, ideally, be at least partly informed by the answer to this question: Which approach will make life easier for the people in the SOC who have to distinguish between good-faith testing and malicious activity?
PTaaS: Daunting but Structured
Signing up for a self-defense class is a daunting task. Someone is supposed to pay to be somewhere a bunch of other people are punching, kicking and doing who-knows-what-else to heavy bags and, potentially, each other while an instructor barks at them for every mistake?
But that’s a skewed perspective. The reality is that most instructors are there to help their pupils, not belittle or intimidate them, and quality classes will rely on specialized equipment and specific codes of conduct to minimize risk of injury during any person-on-person contact.
The Synack platform is similar. SOC workers might expect that intentionally allowing members of the Synack Red Team (SRT) to poke and prod at their assets—especially in production—is simply asking for trouble. In reality, Synack only works with security researchers who make it through a thorough, five-step vetting process that involves technical assessments, a background check and behavioral interviews, among other things, to help give the SOC peace of mind.
These vetted researchers also conduct their penetration testing via the Synack platform, which includes a virtual private network (VPN) connection to client infrastructure. That makes it easy to associate this activity with authorized testing and helps us ensure the SRT operates within each client’s specified parameters. And when they do find something, the SRT and Synack’s VulnOps team collaborate to provide a clear and comprehensive report to customers.
Bug Bounty: Familiar but Often Chaotic
Let’s compare the PTaaS approach to bug bounty—the security testing equivalent to wearing a “kick me” sign.
Organizations use bug bounty programs to pay independent researchers who discover and disclose vulnerabilities rather than exploiting them or selling them to someone who probably doesn’t have the organization’s best interests at heart. That’s certainly preferable to the alternative, but it can also make things more difficult for the SOC, especially in cases where “security research” was only conducted “in good faith” after the person was caught.
The SRT is comprised of known researchers who agree to specific rules of engagement before interacting with an organization’s assets; bug bounty programs essentially allow anyone with technical know-how and an internet connection to look for vulnerabilities, and even if the program communicates do’s and don’t-do’s to prospective bug hunters, it’s significantly more difficult to enforce those boundaries and hold someone accountable for breaking them.
These programs often encourage researchers to find as many potential vulnerabilities as possible, rather than security flaws that have been proven to pose a legitimate risk to the organization, which means the SOC and other departments within the organization have to deal with a significantly worse signal-to-noise ratio than they would via the Synack platform. And it can be near-impossible to distinguish between a bug bounty hunter and a malicious hacker.
Instruction, not Destruction
One final point of comparison: A self-defense class is, as its name implies, designed to help people learn how to defend themselves. Wearing a “kick me” sign could make someone hypervigilant, sure, but mostly it teaches them that being kicked hurts. There is no instructor to help someone correct their mistakes in a safe environment before it’s too late.
PTaaS is similarly designed to help organizations address the vulnerabilities they need to worry about most. Researchers who discover a vuln can help orgs determine if the mitigations or corrections they implemented are effective, for example, or if they need to be redone. The SRT’s initial report describing the vulnerability can often be passed along to development and infrastructure teams so they can learn how to avoid similar problems in the future, too.
Synack PTaaS: A Smarter Approach
PTaaS isn’t just the new norm—it’s a better way to pentest, especially in today’s threat landscape. Synack takes the best aspects of bug bounty, adds highly-valuable features that SOC teams, developers and CISOs love, and abandons all the chaos of traditional models.
Don’t just take our word for it. Request a demo to see Synack PTaaS in action.
