Synack debuted a new tool called Hydra that is designed to make it easier for its researchers to find potential threats.
“Hydra is a platform that helps researchers to identify potential vulnerabilities that they can then utilize for exploitation purposes,” Jay Kaplan, CEO of Synack, told eWEEK. “It also gives them better cognizance of our customers from a change detection standpoint.”
Kaplan started Synack in 2013 after spending nearly four years working as a senior analyst for the National Security Agency. Synack researchers are rewarded for finding vulnerabilities in customer environments and applications. Hydra is now part of the platform that security researchers get access to when they work with Synack, Kaplan said.
Hydra, written by Synack developers largely in the Python programming language, resides in the Amazon cloud. The back-end data store includes the MongoDB database as well as Hadoop HDFS big data storage technologies. Hydra enables companies and security researchers to see how the externally facing infrastructure of organizations looks over time, Kaplan said.
As IP addresses are added, services come online and IT infrastructure changes for a given organization, Hydra provides researchers with alerts so they can examine what’s going on for potential weaknesses. As an example, Synack has a customer with an online banking application that has lots of back-end infrastructure. “We have ingested their entire IP space into Hydra and are monitoring for changes of state,” Kaplan said.
The issue is not that security researchers working with Synack couldn’t have found changes in an organization’s infrastructure on their own, but Hydra enables researchers to focus on specific areas and alerts researchers to new elements that the system identifies as a potential risk, Kaplan said.
A common tool many security researchers use is the open-source nmap scanner, which can help find open ports on a network. According to Kaplan, Hydra in some respects is a next-generation approach for a tool like nmap. “Hydra brings that data back to researchers and provides visualization so researchers know what to focus on,” he said.
By providing Hydra to its researchers, Synack is now making it somewhat easier to find vulnerabilities than before. That said, Kaplan emphasized that Synack isn’t reducing the amounts it pays researchers.
“We’re basically enabling researchers to make money faster, and that’s a great thing for everyone,” Kaplan said. “Researchers get more money as they spend the same amount of time to find more vulnerabilities and customers get information faster so they can close holes quicker.”
Paying security researchers to help find flaws is not unique to Synack. HackerOne and Bugcrowd are among the competitive offerings currently in the space.
Synack focuses on quality and not quantity when it comes to security researcher participation, Kaplan said. “We built our business around the enterprise trying to help them adopt the best of the bug-bounty space, without any of the risk,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.