Synack’s continuous assessment approach and the depth and diversity of the vulnerabilities found, enables Coursera to have a more comprehensive review of their environment.

1. Continuous Learning Meets Continuous Security
Case Study with Coursera
Coursera partners with top institutions worldwide to offer courses online for anyone to take for free.
Coursera’s mission is big and noble: to bring the world educational content that many wouldn’t
otherwise get. In the two years since Coursera’s inception, more than 8M students have accessed
content from over 100 different learning institutions. Meteoric growth like that attracts attention, and
not all of it is friendly.
NOT EVERYONE IS HERE TO LEARN.
Despite Coursera’s noble intentions, hackers are always
looking to make a name for themselves or steal the
personally identifiable information (PII) of the learners. PII
is a valuable asset not only to the individual it belongs to
but also to an adversarial hacker who can sell the
information for financial gain. A breach of this nature
poses a threat to the integrity of Coursera’s open,
collaborative platform, its users, university partners, and,
ultimately, to its brand.
AUTOMATION IS NOT ENOUGH.
Knowing that the trust and safety of their community is
key to their success, Coursera has been fiercely proactive
about security. One of their first steps was to purchase an
automated scanning solution from a leading vendor.
Coursera began to look for alternatives when it realized
automation couldn’t replicate the kind of creative cyber
attacks the site was exposed to. Worse, automated tools
could not handle Coursera’s sophisticated learning
platform based on an advanced AJAX architecture. These
shortcomings quickly frustrated the team. “We ran what
we understood was a ‘best in class’ automated scanning
product for a full year and found nothing helpful. Scanners
simply cannot keep up with changing web technologies
and hacking techniques,” said Coursera Information
Security Officer Brennan Saeta. This data was noise that
distracted the team from its focus on securing Coursera’s
applications and infrastructure.
THERE IS A BETTER WAY.
Coursera knew exactly what they needed: a continuous
assessment delivering actionable results without the
noise. “How do we make our site safe? Documenting
procedures for how we think it’s safe doesn’t count,”
asked Brennan Saeta. Fred Rosenzweig, Coursera’ Head of
Operations added, “We want to be protected from hackers
and we felt...the best way would be to have people
actually attack our site and try to break in. We push code
very regularly and need a solution that can keep up.”
Coursera was looking for what Brennan called, “Real
Security”—a practical solution that delivers consistent
value add results protecting their customers and brand.
That’s when they heard about Synack.
KNOWLEDGE IS POWER
Synack provided Coursera access to some of the best
security researchers in the world in a controlled, trusted
environment. Onboarding was easy. Only hours after the
launch, the Synack Red Team was logging vulnerabilities
discovered in Coursera’s web applications. Coursera found
value in discovering vulnerabilities before they were
publicly disclosed or worse, noting that, “Synack found a
diverse array of high value vulnerabilities above and
beyond our expectations.” Because of Synack’s
continuous assessment approach and the depth and
diversity of the vulnerabilities found, Coursera felt they
had a comprehensive review of their environment. “What
we are doing with Synack is more representative of what
hackers would do, and what really could happen to us
from a security perspective. We’ll always be worried about
security, but we sleep a lot better at night knowing the
Synack Red Team is on top of things.” said Brennan.
THE RESULT
“Simply put, a lot of quality finds, including a handful of
critical issues that we fixed within an hour, and that an
automated scan would never have found.” said Brennan.
Coursera is now expanding the scope of their engagement
with Synack, and looks forward to receiving even more
Crowd Security Intelligence™. “The quality and severity of
the vulnerabilities found by Synack are vastly superior to
the automated solutions we’ve used. I would highly
recommend Synack.”
COURSERA CASE STUDY See more at www.synack.com