Post on 01-Feb-2022
SynackEmpowering DevOps with Continuous Testing
Richard HodgsonSynack, Inc
rhodgson@synack.com
4
The Current Example A website, due to go live a month from now…
But before it can it needs to be security tested.
You choose a supplier to work with.
They then select the right person for the job, not you
That person then spends a few days testing the site, following a standard methodology and their own skillset.
Once they’ve finished they send through a PDF (likely once a two week QA is completed).
End of engagement
Traditional Penetration Testing can’t address the dynamic security needs of DevOps
Testing driven by a checklist-only approach to satisfy regulatory requirements.
Compliance-driven
1-2 pen testers per project paid time and materials regardless of results.
Small, static teams
Tests conducted over a two-week period about once a year.
Point-in-Time
Final report print-out at the end of a test.No visibility
5
6
What other options are there? Automated scanning
Traditional Penetration Testing
Open Bug Bounty Programs The Synack Model
7
The Synack Model A website, due to go live a month from now…
But before it can it needs to be security tested.
Synack harnesses its crowd of 1,500 vetted testers based around the world to begin testing immediately.
Our cohort of testers begin testing, with a huge variety of skillsets and backgrounds.
All motivated via a bug bounty system.
Each vulnerability is verified, with description and remediation details provided on demand.
Free patch verification and retesting as well as customisable reports
Synack Red Team
• 1500+ elite researchers• Financially Incentivised• Highly Vetted• Highly Available
LaunchPoint VPN
• Controlled IP gateway
• Full packet capture• "Kill" switch capable
Reporting & Analytics
• Transformational Metrics• Only Actionable Data• Mitigation advice• Patch verification• Custom reporting
Mission OPS
• Managed Service• Highly Curated Data• Project Management
In Scope Targets
• Web Applications• Mobile Applications• Host Infrastructure (Active IPs)• Auth | Non-Auth
Synack Secure Platform [LaunchPoint VPN]
Synack Red Team
LaunchPoint+
[Hydra] [Apollo] [SmartScan]
Architecture of Synack Engagement
Prioritized list of actionable vulnerabilities
Mission Ops You
Client Assets
Hydra + Apollo
• Plug-n-Play Architecture• Incorporates hacker
techniques and methods• RECON, Signatures
SmartScan
• Continuous augmented actionable intelligence
Real-time analytics and performance-based security scores
CUSTOMER PORTAL
Testing data is available to you in real time through the customer portal. You can also generate a comprehensive report with human analysis, containing vulnerability, compliance, and Attacker Resistance Score data. Any section can be included or omitted to customize for each team in your organization.
Synack Client Portal
10
Offensive Vulnerability Discovery at Scale DevSecOps
Use Cases
Deliver vulnerability risk management plan across a client’s entire digital portfolio to increase efficacy and eliminate vendor management headaches
Show ROI with ongoing program performance metrics based on Synack proprietary ARS data
Once a DevOps architecture is implemented, help embedsecurity as far left in the SDLC as possible
Integrate Synack data with DevOps tools
Accelerate remediation through understanding the highest areas of security risk and allocate partner resources
Cloud Testing Partnerships
Vendor-agnostic, cloud provider partnerships so we can test seamlessly without permission
The Platform understands the nuances of cloud infrastructure (such as Access Keys, Identity Management, short-lived VMs) and networks (such as DNS routing, virtual instances, storage)
!"#"$%&'()$(*"+,-%&.(/"'&%#0(1%&2(*.#3+4(
! "#$$%&'()*+,-&./0/1+2
! 3)0454-+0,%&)6&7+$58+(%
! 9:;<&=>?&@AB&C51C+(&-C/0&-(/25-5)0/$&D+0&-+4-501E
! F%0/,G&54&/&"5B+2&'(5,+&F)$#-5)0&
! H$$&I)#0-5+4J&(+K/(24J&4K/1&6)(&(+4+/(,C+(4&C/02$+2&I%&F%0/,G
! 3#4-)L5M/I$+&=+D)(-4&?0,$&H=F&N 6)(&H#25-J&./0/1+L+0-J&7+8+$)DL+0-J&+-,O
! 3)0-50#)#4&P+4-501&Q&3)0-50#)#4&F,/00501
! H15$5-%&N P+4-501&50&RA&C)#(4&8+(4#4&K++G4&50&-(/25-5)0/$&L)2+$
! H,,+44&-)&K)($2S4&I+4-&4+,#(5-%&(+4+/(,C+(4
! T#$0+(/I5$5-5+4&T+(565+2&6)(&%)#
! =+L+25/-5)0&U#52/0,+&N V+/2&F-/(-&6)(&'/-,C501
! =+/$NP5L+&7/-/&W&7/4CI)/(24&
! H,,#(/-+&D)4-#(+&-)&-C+&I)/(2
!"#$%&'&()*+&,$&(&-%.-*"(,-&)-*(/,0*-',.1-*"(.23&,%&)43-)5,!"(-*(4"4),)&14%*-6,)1.3&7,26,-'&,0"%378),#")-,)9*33&7,&-'*1.3,'.19&%),.(7,:;,-&1'("3"/65
12
Thank YouRichard Hodgson
Synack, Incrhodgson@synack.com