SynackEmpowering DevOps with Continuous Testing

Richard HodgsonSynack, Inc

rhodgson@synack.com

4

The Current Example A website, due to go live a month from now…

But before it can it needs to be security tested.

You choose a supplier to work with.

They then select the right person for the job, not you

That person then spends a few days testing the site, following a standard methodology and their own skillset.

Once they’ve finished they send through a PDF (likely once a two week QA is completed).

End of engagement

Traditional Penetration Testing can’t address the dynamic security needs of DevOps

Testing driven by a checklist-only approach to satisfy regulatory requirements.

Compliance-driven

1-2 pen testers per project paid time and materials regardless of results.

Small, static teams

Tests conducted over a two-week period about once a year.

Point-in-Time

Final report print-out at the end of a test.No visibility

5

6

What other options are there? Automated scanning

Traditional Penetration Testing

Open Bug Bounty Programs The Synack Model

7

The Synack Model A website, due to go live a month from now…

But before it can it needs to be security tested.

Synack harnesses its crowd of 1,500 vetted testers based around the world to begin testing immediately.

Our cohort of testers begin testing, with a huge variety of skillsets and backgrounds.

All motivated via a bug bounty system.

Each vulnerability is verified, with description and remediation details provided on demand.

Free patch verification and retesting as well as customisable reports

Synack Red Team

• 1500+ elite researchers• Financially Incentivised• Highly Vetted• Highly Available

LaunchPoint VPN

• Controlled IP gateway

• Full packet capture• "Kill" switch capable

Reporting & Analytics

• Transformational Metrics• Only Actionable Data• Mitigation advice• Patch verification• Custom reporting

Mission OPS

• Managed Service• Highly Curated Data• Project Management

In Scope Targets

• Web Applications• Mobile Applications• Host Infrastructure (Active IPs)• Auth | Non-Auth

Synack Secure Platform [LaunchPoint VPN]

Synack Red Team

LaunchPoint+

[Hydra] [Apollo] [SmartScan]

Architecture of Synack Engagement

Prioritized list of actionable vulnerabilities

Mission Ops You

Client Assets

Hydra + Apollo

• Plug-n-Play Architecture• Incorporates hacker

techniques and methods• RECON, Signatures

SmartScan

• Continuous augmented actionable intelligence

Real-time analytics and performance-based security scores

CUSTOMER PORTAL

Testing data is available to you in real time through the customer portal. You can also generate a comprehensive report with human analysis, containing vulnerability, compliance, and Attacker Resistance Score data. Any section can be included or omitted to customize for each team in your organization.

Synack Client Portal

10

Offensive Vulnerability Discovery at Scale DevSecOps

Use Cases

Deliver vulnerability risk management plan across a client’s entire digital portfolio to increase efficacy and eliminate vendor management headaches

Show ROI with ongoing program performance metrics based on Synack proprietary ARS data

Once a DevOps architecture is implemented, help embedsecurity as far left in the SDLC as possible

Integrate Synack data with DevOps tools

Accelerate remediation through understanding the highest areas of security risk and allocate partner resources

Cloud Testing Partnerships

Vendor-agnostic, cloud provider partnerships so we can test seamlessly without permission

The Platform understands the nuances of cloud infrastructure (such as Access Keys, Identity Management, short-lived VMs) and networks (such as DNS routing, virtual instances, storage)

!"#"$%&'()$(*"+,-%&.(/"'&%#0(1%&2(*.#3+4(

! "#$$%&'()*+,-&./0/1+2

! 3)0454-+0,%&)6&7+$58+(%

! 9:;<&=>?&@AB&C51C+(&-C/0&-(/25-5)0/$&D+0&-+4-501E

! F%0/,G&54&/&"5B+2&'(5,+&F)$#-5)0&

! H$$&I)#0-5+4J&(+K/(24J&4K/1&6)(&(+4+/(,C+(4&C/02$+2&I%&F%0/,G

! 3#4-)L5M/I$+&=+D)(-4&?0,$&H=F&N 6)(&H#25-J&./0/1+L+0-J&7+8+$)DL+0-J&+-,O

! 3)0-50#)#4&P+4-501&Q&3)0-50#)#4&F,/00501

! H15$5-%&N P+4-501&50&RA&C)#(4&8+(4#4&K++G4&50&-(/25-5)0/$&L)2+$

! H,,+44&-)&K)($2S4&I+4-&4+,#(5-%&(+4+/(,C+(4

! T#$0+(/I5$5-5+4&T+(565+2&6)(&%)#

! =+L+25/-5)0&U#52/0,+&N V+/2&F-/(-&6)(&'/-,C501

! =+/$NP5L+&7/-/&W&7/4CI)/(24&

! H,,#(/-+&D)4-#(+&-)&-C+&I)/(2

!"#$%&'&()*+&,$&(&-%.-*"(,-&)-*(/,0*-',.1-*"(.23&,%&)43-)5,!"(-*(4"4),)&14%*-6,)1.3&7,26,-'&,0"%378),#")-,)9*33&7,&-'*1.3,'.19&%),.(7,:;,-&1'("3"/65

12

Thank YouRichard Hodgson

Synack, Incrhodgson@synack.com