This story is over 5 years old.

Ex-NSA Hacker Launches Bug-Hunting Tool Inspired by Spy Agency

Security firm launches hybrid humand and machine platform to find and patch software vulnerabilities.
October 21, 2015, 10:00am
Image: McIek/Shutterstock

During his time as an NSA hacker, Jay Kaplan and his colleagues at the intelligence agency could count on the help of powerful computers automatically gathering data to complement their human skills.

Now Kaplan, who is the founder of security firm Synack, wants to give white hat hackers and security researchers something similar to help them hunt bugs and vulnerabilities.

On Wednesday, Synack, which connects its customers to a large pool of security researchers, launched a new automated software tool that scans code and flags potential bugs, alerting researchers where to look.


For Kaplan, this is a sort of hybrid human-machine system that will help his customers make their software more secure by partially automating bug hunting. It's a more conservative, albeit perhaps more realistic approach than what DARPA dreams of doing with its Cyber Grand Challenge, a competition that aims to create software that automatically finds and fixes bugs, without the help of any human.

Kaplan believes that you can't just take the human hacker out of the equation, especially if you want to scale up bug hunting and make highly complex software secure.

"There always need to be humans in the mix. Researchers are a really important part of the equation."

"There always need to be humans in the mix," Kaplan told Motherboard in a phone interview. "Researchers are a really important part of the equation, and without their creativity and understanding of the environment that they're looking at a lot of issues are missed."

Synack is part of a new wave of companies that try to commoditize security researchers and bug bounties. Big tech companies, such as Facebook and Google, have been offering rewards for friendly hackers who find bugs and report them to the company for years. Now, startups like Synack, HackerOne, and BugCrowd are crowdsourcing these efforts, acting as middlemen between companies and security researchers.

Synack's new system is called Hydra, in a reference to the ancient monster with multiple heads from the Greek and Roman mythologies. This Hydra is a platform that scans Synack customers' networks, and looks for known vulnerabilities, sends certain code to test the response, and looks for patterns to spot potential bugs. It then feeds that information to the company's cadre of freelance and in-house security researchers, who can then focus their efforts on the portion of the flagged code, rather than looking everywhere for bugs.

Synack is making Hydra available for all customers right away, but a few of them already had the technology for a few months.

"The ultimate goal is to decrease the window of exposure for our customers [and] increase the speed at which our researchers find vulnerabilities and exploit paths," Kaplan said.

In other words, Kaplan wants to give its customers the speed of machines, without missing the old-fashioned, but crucial element of the eyes and brain of a flesh and bone hacker.

This story has been corrected. A previous version of the story stated that Hydra scans customers' source code, but it actually scans customers' networks—not source code.