This week I saw Synack and HackerOne share some information about moving into other offerings, I wanted to talk about them and explore what it means a little more than you might not get from carefully worded sales slop or tweets, but we have to start with those, so let’s start with Synack & Cobalt style…


Synack & Cobalt.io

This week (17/05/2019) members of the SRT (Synack Red Team) received an email inviting them to declare their CREST qualifications:

Are You CREST Certified? Synack Wants to Hear From You! by ryanrutan

Synack is committed to seeking the largest and most diverse customers in the world. Trust and reputation are key components to opening new doors and delivering new challenges to SRT. Today, Synack received CREST Accreditation for penetration testing services and recognized as a CREST Member company. CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market.  This recognition will no doubt further bolster Synack’s earned trust and reputation in the industry.

… but Ryan, I’m in SRT, So What?
To get straight to the point, the more SRT certifications Synack can amass, the easier it is for Synack to land harder, unique and more exclusive targets. This means more targets, more open vulnerability windows, more missions and more chances for SRT to get paid.

What Does Synack Want From SRT?
If you already have any of the following CREST Certifications:

  • CREST Practitioner Security Analyst
  • CREST Registered Penetration Tester
  • CREST Certified Web Applications Tester
  • CREST Certified Infrastructure Tester

Please update the certifications area of the Synack portal (a new CREST option was just added) and let us know you are willing for Synack to confidentially share your name with CREST to associate your certifications with Synack by creating a support ticket, support@synack.com and we will take care of the rest.

Note: If you have other certifications you’d like to add and do not see in the drop-downs, please let us know and we will look to add them to the platform.

Interested in Getting Certified?
Stay tuned for updates about an upcoming rewards program announcement where SRT members can get reimbursements for certifications, tools, etc… simply by staying engaged with SRT! More details to come.

Okay, so that’s the email that went out, lets cover some caveats and get into it

The Synack Red Team, is a capable collection of mostly part time participants delivering security testing usually in their spare time, what this post isn’t about  the employees … well the not-employees … the people that are doing the work, but aren’t actually employed.

This is about the underhandedness of Synack & Cobalt – or I feel it’s underhanded,

Let’s look at Synack and Cobalt entitlements, we can see that they are a CREST member

CREST

hmmmmm. I have some friends within CREST, I hope they’re all over this, but at first glance it feels like they give very few f*&^’s about the optics here, a low quality cash grab.

It raises the question around CREST’s loyalty to its existing 151 organisations that pay for failed and passed exams, training, development and membership

The Certificates Synack (and possibly Cobalt) are seeking

  • The CREST Practitioner Security Analyst examination costs £275 + VAT/tax
  • The CREST Registered Penetration Tester examination costs £395 + VAT/tax
  • The CREST Certified Infrastructure Tester examination costs £1625 + VAT/tax
  • The CREST Certified Web Applications Tester examination costs £1625 + VAT/tax

and the membership fees 

Annual membership fees will be applied as follows:

  • £7,000 pa for membership of one region and any of its associated country Chapters
  • £25,000 pa for global membership (all regions and associated country Chapters)
  • £5,000 pa for membership of one country Chapter

I can’t help thinking that Synack are using other companies workforce to bid for work against those other companies and then use those other companies workforce to deliver the work. – if that is the case, that there is some fuckery, and should be treat as such.

If I were  one of those companies , I’d be asking my employees if they’ve told Synack about their CREST certificates, once they know, they know. but really, I think the fix should be some type of consultant declaration if CREST continue to work with Synack. I’m very interested in how this pans out, as should all CREST members that compete for work amongst themselves with other workforces, and now Synack… with your workforce.

Should organisations demand more integrity from CREST ?  

Should CREST Certification be something that consultants obtain by there own achievements ?

Let’s look at the cost of investing in employees to get them to a CREST level:

If you’re not Synack or Cobalt.io

If they get through the hiring process at a good security consultancy (this exceeds Bugbounty participation criteria by a country mile) taking a computer security, computer  science graduate to A CHECK Team Leader i.e. CREST Certified Infrastructure Tester or CREST Certified Web Applications Tester + Security Clearance, there is a five to seven year roadmap , those new team members will be subjected to various training labs, , but not before 4-6 months of dedicated basic training before being let loose as a supported pen tester, during this time the employee will be enjoying a growing salary starting from £40,000 and growing to over £110 OTE plus the nice things like healthcare, dental, car, ongoing training, security conference opportunities, I can see how these organisations allow their employees to keep in shape for extra pocket money on Bugbounty but, I dont see how they see it acceptable that Synack/Cobalt bid for work that other consultancies will be bidding with, yet Synack and Cobalt will be using the same organisations amployee’s to deliver CREST work.

Thoughts: Startup’s gonna push their luck, CREST seems to be another greedy snake eating its self.


HackerOne

Regardless of how negative I am towards Bugbounty startups moving into other spaces, Mårten is tolerant and I think genuinely draws from criticism in search for a path that doesn’t take so much criticism, so while my view on HackerOne isn’t a great one, I do admire his thick skin.

Okay, caveat done.

Let’s break the tweet down, Mårten says”

The wonderful case of a cybersecurity offering that *reduces* the workload on a security team

and the image attached states:

The fact that we have a contract means we don’t have to hire a security analyst right now – Engineering Director, Payment Solutions

Mårten suggests the offering reduces the workload, while the Engineering Director states they don’t have to hire a security analyst.

I’m cynical and defensive by default, and that’s usually why I’m good at my work, but also a bit of an arsehole, if you can take the arsehole-ness from my page, you might be left with some good points.

When you look at the two messages in conjunction with each other they are contradicting in terms, on one hand you have a reduction in workload (relieving existing teams) and on the other hand a reduction in team (i.e. not hiring someone because you are using H1)  so, is there a message for two audiences, one that says ‘Hey security teams that are low on employees, we can help’ and also ‘ hey people that don’t work in security functions, you can hire our not-employees to assist’

I feel the Engineering Director’s message may be honest but, that’s very relative to that persons situation, traditionally a director of engineerings responsibilities fall around project management, hiring new team members, presenting budgets and plans to other departments, and meeting with upper-level management, so while I see they might look at the pressure of hiring talent might make using HackerOne desirable but it’s short sighted, does it get the job done ? maybe ? some times ? no ? yes ?

My problem with it is that it’s presented as a success story.


Exploiters being Exploited.

I’ve been paid good money from crowdsourced security initiatives (CSSI), and or bug-bounties, this was from mature organisations that knew where Bugbounty/CSSI was best positioned, and that’s exactly where they thought it should be positioned in year one, the end of the software development lifecycle and continuous testing in live.

Dont let ‘Crowdsourced/Bugbounty’ platforms take advantage of you, take advantage of them, they belong in the final space between front impact testing in SDLC and continuous assurance, once you’re confident live-environment is strong.

If you don’t have security in your name, have a relationship with your organisations security team, articulate your requirements, if they can’t pull resource they will give you the best advice, it will allow for better harmony between teams and common goals.

I know that they will keep picking away to keep those stakeholders happy but it’s important to have these kind of rants to help make sure you need crowd sourced security as apposed to conventional security, understand what you’re paying for and what security providers are investing in to bring you the best assurance, and also those who undercut and  practice shitty methods to win work. If your organisation is as cut-throat as they are, have at it, it’s not a good look, and if successful, play it out, guess who wins and then guess who looses.

pro-tip: your own triage team is the best triage team, more on that here.

I welcome comments on Twitter: @n0x00