World Leading Web-Application Security
To justify such a bold claim first the terms of reference must be described.
Consider the following checklist as a measure of effectiveness:
The Need For Protection
Do you have high value web assets that require protection?
E.g. Internet/Extranet/Intranet facing Websites/Web Applications/APIs/Mobile Applications
Do you need to meet compliance standards to prove the protection of customer data? E.g. PCI, HIPAA, GDPR etc.
Do you have web assets (e.g. SAP, Oracle) where upgrades could be deferred if security concerns were addressed?
Do you have web assets that are only being replaced due to security concerns?
Are all applications, including those acquired via M&A, compliant with your security policies?
Best Practice Operational Security Program
Do you have a mature Risk Discovery and Mitigation (RD&M) program?
Is your RD&M program able to detect then patch, shield, or remediate within the required timeframe?
Do you have the necessary skills, technology and processes for expert 24/7 delivery, monitoring & response?
Do you have existing security tools that are outdated (>3 years old), underperforming or under utilized?
Does your team have the skills to expertly configure & manage SAST/DAST/IAST tools (spidering and spurious result removal)?
Are threat, CVE and other vulnerability/exploit feeds being monitored 24/7?
Are Pen Testing and/or bug bounty programs in place to ensure advanced application specific exploit discovery?
Are web assets without a development team (old, 3rd party developed, M&A) included in exploit discovery?
Does your exploit discovery integrate into your RD&M program to produce actionable intel within the required timeframe?
Patching, Software Remediation & Shielding Execution
Are you risk accepting known infrastructure & web application exploits, relying on Optimism Bias for defense?
Do you have open vulnerabilities that you are finding difficult to address either with security tools or software development?
Does resolving open vulnerabilities delay new product launches or put compliance certification at risk?
Are penetration testers able to routinely evade your security tools?
Compatibility of Security Tools With Your Business Objectives
Are your false positive rates (blocking of legitimate application traffic) and resolution times acceptable?
Is the effectiveness of your defense continually measured?
Do your security tools produce relevant governance reporting (risk, change & ROI)? Do your security tools enhance your DevOps CI/CD pipelines?
Are your vendors and service providers commercially warranting the protection they offer?
Delivering against these objectives is what RedShield does. RedShield team are experts in security engineering, analysis and development. They are aided by a range of AI enhanced tools that operate cohesively in a mature program integrated with customer governance processes to deliver measurable outcomes.
2. https://www.bsimm.com/, https://www.sans.org/reading-room/whitepapers/application/building-application-vulnerability-management-program-35297
3. Kenna Security research 2018 https://www.kennasecurity.com/prioritization-to-prediction-report/, shows businesses have 2 weeks at best to protect themselves from newly published vulnerabilities (or 4 days in Equifax 2017 case study)
4. Typical web app defense tools include Code Scanners, Vulnerability Scanners, Firewalls, DDoS services, Bot protection, WAF, NG-WAF, RASP, SIEM alerting
5. Bad guys speculatively exploit your weakest links & leverage any asset they can gain control of e.g. run phishing credential theft from your real servers, hence you need to protect all assets
6. World Class: False Positive rates of <1/1,000,000 blocks; resolution times of <1hour including verification of change in risk
7. Tenable research https://www.tenable.com/cyber-exposure/ vulnerability-intelligence reveals that an average of 41 new CVEs were published daily in 2018, this means that regular application audits need to be conducted. Weekly is recommended given Kenna’s research findings on 2 weeks to exploit publication.