The age old penetration test is dead, long live the penetration test...So as discussed before a 1-off penetration test does not work, why?
- Code changes - possible introduction of vulnerabilities
- Framework vulnerabilities are discovered all the time (see here )
- Server/Hosting changes may give rise to a vulnerability
- Patching - vulnerarability
- Logical/Business logic vulnerability - from new features
- etc etc
So, our 1-off penetration test is only a point-in-time assessment and has its place for deep-dive penetration tests but more often than not the value of a 1-off penetration test is erroded the day the report is finished...like driving a car out of a dealership, it looses half its value in an instant.
We decided to do something different..
How about a solution that provides...
- Monthly or more frequent vulnerability assessments
- Covers Layer 1-7 (host, protocol, server, IP, patch, webapp, framework etc etc).
- Is manually verified by humans (not androids or monkeys!)
- Integrates with many many other security services.
- A single point to view your entire security posture across all OSI layers for you entire Internet presence.
Ths type of idea makes sense right?We dont have experienced consultants running scans and chasing False positives
We dont have 300 reports to manage and attempt to track what, how when was fixed not to mention risk priority.
For the Last year we have been developing a pretty decent vulnerability management tool.
It answers questions like
- What are my high risk issues?
- Where are my high risk issues?
- How old are they?
- What is vulnerability history for my assets?
- Am I more or Less Secure than yesterday/last month last year?
What are my biggst security concerns on network and application layers? What is the history of each asset and what changes have occured..the dashboard answers such questions.
My to do list!! Ordered by risk, date, asset etc etc. what do I need to remediate and which issues take a high priority. Also advice on how to fix discovered issues.
Each of my assets organised by criticality. A snapshot of each asset. Is it more secure than the last scheduled assessment? are my issues in the network later (administration/config) or the application layer (development/devops)?
Yes, you can download deep technical reports or executive level reports on one or more assets if you wish. Select date ranges for historic reporting also.