Cybersecurity is a fast growing sector, expected to be worth over $345 billion by 2026. With higher levels of remote working among office workers, hackers have been keen to exploit the relatively low security of residential internet connections as entry routes to company systems. This has boosted growing awareness of the risks and the benefits of protection among increasingly digitised businesses. Cybersecurity providers often harness the talents of crowdsourced IT professionals who enjoy challenges of testing company systems on top of regular work responsibilities. In recent cybersecurity news, leading provider Synack has recently announced an on-demand service delivered by crowdsourced hackers, Synack Campaigns.
The start of Synack
Synack was founded in 2013 by two former employees at the NSA and US Department of Defense who shared a vision to revolutionize cybersecurity. To make their vision a scalable mission they needed access to greater resources than they could afford to put under full time contracts. Synack was thus created as a crowdsourced cybersecurity platform, providing an interface between businesses at risk and vetted “white hat” ethical hackers.
The benefits for the hackers are that they can accelerate their accumulation of experience and knowledge faster than in their main role alone, and earn additional income. They take on challenges to explore companies’ systems for weaknesses and vulnerabilities, and are paid on the basis of what they find and can fix, rather than the time they spend on it. This freelance payment system transfers the risk of unproductive time to the individuals, not to a company employing them. It can also look good on a CV to be so committed.
“Hack, earn and learn”
Synack’s operation is based on freelance talent but it is nothing like a free-for-all. The volunteer hackers are vetted before joining as a member of Synack’s System Red Team (SRT) and awarded assignments that broadly match their skills and experience. They become part of a close knit community of around 1,500 security professionals who collaborate through sharing best practices. The mantra is “hack, earn and learn.” As their track record grows and they show they are learning, they can be assigned more demanding challenges that continue their personal development.
Payment is scaled to match the number and complexity/severity of the defense weaknesses a hacker identifies. The range of assignments includes weakness checks, “Missions” to hunt for vulnerabilities, and patch verifications. Completion of a regular Mission can pay from $500 to several thousand dollars.
SRT hackers usually work a few hours a week, on top of their “regular job.” Though they cannot just do it only when they want to, they are obliged to maintain a minimum annual level of activity to remain part of the team. A leader board showing payments gamifies the process and incentivizes competitive behavior within the collaborative ethos. Some of the crowdsourced hackers have earned hundreds of thousands of dollars.
The security of their ethical hacking is protected through working only within Synack’s dedicated cloud workspace. Unless a client agrees otherwise, the hackers have to keep details of the weaknesses and vulnerabilities they discover confidential.
Synack’s cybersecurity news is the launch of Synack Campaigns to handle a group of more tightly specific, limited security tasks, to be performed by the Synack Red Team on an on-demand basis. Examples of Campaigns tasks include:
- checking for common Web Application Security Risks (OWASP Top 10 vulnerabilities),
- getting a hacker’s perspective on an asset,
- checking for a specific common vulnerability or exposure (CVE),
- compliance-driven testing, cloud configurations, and application security tests.
It operates as an app-like automated process of submitting a request and receiving a report that has been checked by Synack’s validation team before making it available. A demonstration request will take any interested parties through the Synack Catalog to determine what Campaigns are applicable and relevant to them.
BOLD Awards III
Cybersecurity is one of 20 categories in BOLD Awards III, described as “the Oscars for digital industries. The aim is to source and highlight companies and individuals throughout the world who are managing crowd-related projects and initiatives in a way that really powers breakthroughs. The evaluation process involves a round of pubic voting and assessment by an international panel of expert judges. It culminates in a gala dinner ceremony hosted by innovation hub H-FARM at their campus in Venice, Italy, on 22nd April 2022. Are you BOLD enough to enter?