Jay Kaplan worked for the U.S National Security Agency (NSA) for nearly four years before leaving to set up his own security startup called Synack.
At Synack, Kaplan has taken some of the lessons he learned while working at the NSA to create a new model for enterprise application penetration testing and security. Synack is a venture-backed startup and has the support of Kleiner Perkins, Google Ventures and Greylock Partners.
In a video interview with eWEEK, Kaplan discusses Synack’s model for engaging a community of security researchers to help enterprises find flaws in applications. The basic premise behind Synack is that most organizations are not properly equipped to deal with assessing security threats, he said.
What Synack does is bring together top security researchers from around the world and provide a platform that pays those researchers for bugs they find in an enterprise’s Web and mobile applications as well as infrastructure components.
“You can see some analogies between what Synack is doing and the bug bounty space from Google, Facebook and PayPal and their responsible disclosure programs, except that we’re doing it in a much more structured, formalized way,” Kaplan said.
Researchers are sourced by Synack from multiple locations, including other IT consultants and the government. Kaplan said that most of Synack’s researchers are moonlighting, as they alsohave day jobs. Those researchers are doing the Synack work as a side job.
“It enables our customers to get access to talent that they wouldn’t traditionally have access to,” Kaplan said.
From a compensation perspective, Kaplan said that, for example, a SQL Injection attack bug could provide a researcher with an award of several thousand dollars. The awards scale based on the severity of impact to a customer.
Kaplan left the NSA prior to the Edward Snowden disclosures about mass metadata collection of U.S. citizens. Kaplan emphasized that the NSA has a lot of very talented and smart people working for it. As to why he left the NSA, Kaplan said he saw a need and was able to receive some seed capital to pursue his vision.
At the NSA, Kaplan was focused on offensive security, looking at a wide range of vulnerabilities in technology, in support of U.S. Intelligence operations.
“What we saw at the agency is that if you bring the right people together in the same room who are really talented and motivated, you’ll be really successful at accomplishing the task at hand,” he said. “You definitely can see that analogy with what we’re doing at Synack.”
Watch the full video interview with Jay Kaplan, CEO of Synack, below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.