A Field CISO’s Lesson Learned From a Mechanic
Years ago, my grandfather told me, “When you buy tools, make sure to buy good quality tools instead of the cheap stuff. If you don’t, it’ll cost you more in the long run.”
He would know: As the owner of an auto body shop, my grandfather would repair wrecks sold at auction into marketable cars. And as I grew older, I saw firsthand how friends would buy cheap drill sets, for instance, and end up needing to buy them all over again when they inevitably failed.
At Synack, we conduct offensive security testing (also known as penetration testing), but we do it in a transformational way. We test everything from web, mobile, host (infrastructure), API and cloud. We say “transformational” because our model is built around visibility, control and streamlined efficiency. Our security testing capabilities are fueled by the power of over 1,500 of the world’s best researchers in over 90 countries.
In one assessment we conducted with the Defense Advanced Research Projects Agency (DARPA), Synack leveraged around 600 researchers on five state-of-the-art prototype systems to produce more than 13,000 hours of manual offensive testing. All this testing was conducted in just a four-week performance window.
Synack’s approach is radically different from traditional pentesting, which is typically limited to a two-week timeline and one-off reports. I should know: I’ve been one of those testers. Between time for training, lunch breaks, demonstrations and plain old office chats, not much actual testing can take place in a typical workday – four hours at most. How much testing coverage are you really getting on the assets that are supposed to be thoroughly tested?
In many cases under the traditional model, one person was tasked with testing a range of assets in just two or three workdays – talk about stressful. We had to operate this way because:
- Business processes were broken
- Security teams and requirements were undervalued
- Product development and integration were overvalued
- Our team had limited hiring ability, and when we were able to hire, the business wouldn’t pay appropriate salary levels for qualified individuals (creating a talent gap)
Oh, and did I mention that our customers still had to wait two to three weeks before getting their pentest report back?
Let’s circle back to the DARPA engagement and compare that to traditional penetration testing. Before we begin, let’s benchmark a testing period of four weeks to assess cost, value and coverage.
Putting Traditional Pentesting to the Test
You might recall I mentioned previously that traditional pentesters can typically only squeeze in about four hours of actual testing per day. But let’s be generous and say we’d get a full eight hours of testing per tester. Let’s also be generous and say we have three senior-level penetration testers testing the assets. Now let’s assume there are 20 days of work in a typical month (Monday to Friday for traditional penetration testing). Multiply that by the number of testers and:
(8×20)3 = 480 Hours
During the DARPA engagement, Synack produced 13,000 hours of offensive security testing toward in-scope assets. It would take four full-time penetration testers working for a full year to match that level of testing. And we haven’t even factored in 401k matching, life insurance, medical costs, dental costs, vacation time, sick time, recruiting efforts, on-boarding and initial training and any other unfactored costs. Senior pentesters command salaries upward of $200,000 per year in the U.S., and MIT professor Joe Hadzima recommends “companies should multiply the salary range by 1.25 to 1.4 in order to get the full cost of compensation.” Ouch.
These numbers get even worse if we’re going to hire a (traditional) contractor to conduct the penetration testing for us. Now we’d have to pay a “wrap rate” associated with the testers and their services. According to growfedbiz.com, “A wrap rate is a factor you apply to a base hourly labor rate, plus indirect expenses, to arrive at a ‘loaded’ labor rate – with a profit amount then added on top.”
Applying a competitive 1.5x wrap rate to the $200,000 salary from above means that hiring just three pentesters would work out to over $1 million per year. Double ouch.
Those are some astonishing numbers, especially when comparing it to the actual value you obtain from a traditional approach to conducting offensive security. Why are so many organizations still taking a traditional approach to penetration testing? The value is nowhere near comparable to what can be accomplished with the coverage and effectiveness Synack provides.
As a consumer, I like to save a buck where I can… but. If I’m choosing to save “a buck” today because I’m presented with a cheaper (less effective) option, I know there’s a high risk it could translate into spending more later. And when it relates to systems directly tied to operational effectiveness or mission success, the stakes are higher: Being compromised, getting negative press attention, losing data or revenue. Holdouts insisting “the traditional way is better” could find themselves compromising on everything mentioned above — and be paying more to find vulnerabilities and verify patches in a mad rush.
At Synack, we’re the only FedRAMP Moderate offensive security partner that provides a firm-fixed-price on scalable testing solutions. The Synack Red Team (SRT) consists of highly skilled and uniquely selected independent researchers, all of which have passed Synack’s five-step vetting and onboarding process. Each of our researchers represents a diverse set of skills and capabilities. Our SRT community is unique in that we only accept a small fraction of all researchers who apply to be a part of the researcher pool. Once onboarded, our researchers are funneled through our proprietary platform detailing a diverse adversarial perspective.
The Synack Platform acts as a workflow, reporting and vulnerability management system that enables our clients with insights, metrics and analytics derived from all researcher’s activity. Our platform provides unparalleled control and visibility into an offensive mindset allowing agencies and business leaders to derive data-driven intelligence around their environments. This intelligence then empowers you to make steps towards a demonstrable reduction in risk, increased operational effectiveness, cost savings and streamlined efficiencies. When offensive security is leveraged in a strategic way, it becomes a very useful tool in transforming overall security program effectiveness.
“It doesn’t always save on cost to buy something because it’s cheaper.”
Thinking back on my grandfather’s lesson, I would add one more point: Just like it doesn’t always save money to buy something cheaper, spending more may not deliver more value either. Choosing the right product is also about knowing the tool you need to accomplish the job the right way!
To learn more about the benefits of the Synack Platform and our packages that augment organizations’ offensive security strategies and save on security testing costs, contact us today.
