With managed hosting from True you know that the infrastructure of the hosting platform is optimally secured. But does that also apply to the security of your web applications that run on it? With the security audit, True periodically scans your web applications for common security issues.
The challenge of our customers
Technologies are constantly changing and evolving, and it is extremely difficult to stay up to date in the volatile world of web development and security. New vulnerabilties are known each day and with that, a customer would potentially have to apply patches every day. Is this feasible? Often not. However, it is of particular importance for clients to have insight into the security of its projects and to map out the risks involved. This allows them to incorporate updates/patches and changes into their own sprints to ensure their product/service is as secure and stable as possible. For both themselves and their customers.
The security audit consists of a broad mix of automated scans, online investigation of vulnerabilities within the organisation and manual attempts to break into systems and environments.
The audits are performed by security engineers with a great deal of technical knowledge and practical experience, including ethical hacking. They are also the ones who have set up our Advanced Security Platform based on the learnings they have gained from these security audits, among other things.
We have 3 different choices for customers in which the difference lies on the one hand in the amount of hours we put in and on the other the information that we can glean for them in these hours. These are all “Greybox tests”, which means that we already have insight into the environment, code and further (internal) functioning of the project in advance. So, beforehand, we look at how the different systems work together and this information is used when performing the security scan.
Some nice sales facts:
- In 48% of the cases, our engineers managed to completely take over the management of the environment.
- In 76% (!) of the cases, our security engineers had access to personal data. Early notification was made in critical cases.
After performing the security audit, you will receive a research report (Standard & Enterprise variant) or technical report (Lite variant) from True. The results of the audit are carefully interpreted by the researcher, in the case of a standard & enterprise variant, provided with a risk profile and recorded in a report in which we will also discuss the vulnerabilities, risk analysis and recommendations. The Lite variant contains a technical report of the findings with possible reproductions to reproduce and remedy a vulnerability and is suitable for organizations that already have the necessary knowledge to further understand risks.
Within 1 to 2 months at the latest, we check with a rescan whether the leaks found have been closed. If the leaks have not yet been closed during a rescan, we will contact you to report this. Fixing specific vulnerabilities can be complicated in many cases because they can be contained in the application. Does the customer have difficulty solving a vulnerability? Then True or one of the partners can help them on their way.
Ideal customer profile
When is it interesting? Always. With all the dangers that are daily standard; with new exploits, vulnerabilities and massive hacks taking place every day, every company would do well to go through this trajectory at least once. The learnings that usually come from these types of reports are very interesting and offer enormous growth opportunities and awareness to all parties involved. So not only the customer but also Broad Horizon and all sister parties can learn a lot from it.
Is the customer looking for a skilled party that can audit their code & environment?
Then we can help.
Is the customer required from a compliance point of view to perform a security audit in a regular interval for, for example, certifications?
Then we can help.
Does the customer have an environment that stores personal data and does the customer want to be sure that it is all boarded up?
Then we most certainly can help.
Does the customer want to be sure in advance that the highest security standards are being observed in connection with the Data Breach Notification Obligation?
Then we can test that further with such a test. By regularly performing a Security Audit on your environment, we can intervene immediately when we identify a data breach. This is an effective part to apply the legislation of the AVG/GDPR (Personal Data Authority).
What type of test should I recommend?
This depends on the type of customer you are helping. If you have any further questions about it yourself, you are always free to contact the responsible persons indicated. They can also advise you on this. You can also assume the following:
— The Greybox “Lite” (16h, no report)
For organisations that do not want to have the entire web environment scanned and are mainly looking for the technical bottlenecks. The Greybox Lite audit is a 16-hour investigation where extensive insights are provided to the techies on the customer side. The customer receives a simple report of the findings.
— The Greybox “Standard” (32h, with report)
An extensive investigation in which the security engineer has prior knowledge of the environment and will scan for more than 32 hours. In addition to research into common digital attacks, it is also examined whether there are vulnerabilities when logging in as a user. The results are extensively documented in an advisory report. This is very comprehensive and fully describes the findings (explanation, opportunity, risk, impact, recommendation).
— The Greybox “Enterprise” (48h, with report)
For environments with a very extensive application for which we take plenty of time. Including all extras such as the possibility of advanced phishing campaigns and on-site training from security engineers. The latter can be very interesting for further awareness to the customer of the customer. The results of the tests are extensively documented in an advisory report. This is very comprehensive and fully describes the findings (explanation, opportunity, risk, impact, recommendation).
Many free online security scans for websites can be found online. So why should I choose such an expensive security audit from True?
Free online security scans often only contain a small part of the actual vulnerabilities. The True security audit goes into great depth about security. In addition, no “human interpretation” has been performed on the results of the free scans, which increases the chance of false positives. In addition, free solutions can abuse the results and thereby abuse a data breach, on the other hand, sell vulnerabilities to third parties (they have to derive the income from somewhere, as their service to you is free).
What is the lead time between requesting a security scan and delivering the report?
The turnaround time for security depends on the wishes and requirements of the client. After conducting the audit, we aim to deliver a report within 1 to 2 weeks.