Thursday, October 29, 2015

Continuous Asset Profiling

Continuous Asset Profiling 

Something we are pretty proud of at edgescan is our Continuous Asset Profiling service which is part of any edgescan license.
We call it HIDE (Host Index, Discovery & Enumeration).

So what is it and why should I care?

HIDE provides continuous asset profiling across blocks of our clients IP's
So rather than asking a client to specify individual IP's, edgescan profiles entire IP blocks/ranges. But why do this?
The reason we give our clients the ability to profile entire blocks is three-fold.

  1. HIDE can detect if a server/IP goes live since the last round of continuous profiling.
  2. HIDE can detect if a new service / port or firewall change has occurred on any asset profiled.
  3. HIDE can alert our client of any change to their external asset profile on an ongoing basis using various methods such as SMS, email or Live Feed.
If, as per traditional approaches to profiling, we only assess named endpoints we don't get the full picture. HIDE eliminates network blindspots

So pretty much HIDE can help detect for example:

  • The dev team deploy a server for testing without knowledge of security. 
  • A rogue exfiltration point is established similar to an APT
  • A rogue service is deployed to exfiltrate data
Detection is performed in edgescan via profile DELTA ANALYSIS on a continuous basis so we detect change in near-realtime.

Via the portal edgescan users can query HIDE information across thousands of servers in seconds. This can be done by using our filtering API on the console. So if a user needs to query all systems with say "Ports 443/80 open running Linux" across thousands of servers this can be done in seconds and downloaded into CSV, XLSX etc.
Clients with large estates (1000's of IP's/Servers) find this a very useful feature of edgescan

Obviously our edgescan API can be used to query this information also without using the GUI.

Alerting is also configurable such that DevOps staff can be alerted when defined incidents take place.

HIDE gives edgescan clients the ability to monitor and profile systems and alert them of any changes to their estate profile in minutes.

Security done wrong and blowing the not to secure your business

The State of Cyber Security:

We don't want a 15 year old breaching our systems, stealing data and taking 13% off our share price as a result.....hmm I think not. If I wanna be hacked the hacker has got to be elite and like an uber hacker right!!

It is strikingly obvious that security is still weak for both the large enterprise and smaller organisations alike. Take TalkTalk hacked by 15yr old for example...

We live in a world where multi-million euro businesses can be drastically hit by ANYONE with the will, determination and curiosity, I sh*t you not!!.

Poor practices we accept in the industry

Yearly security testing on sites & systems that change frequently

We perform annual testing of our systems, in a time limited manner. Our systems are in a constant state of flux (for the below reasons) but we still only do the annual security test. 

See anything wrong here? 3 words  for you...Window Of Exposure
  • Changes in code

Happen more frequently, we are more "Agile" than ever. We push code frequently and spread the risk of dev failure as opposed to hoping everything works at the end of the project. The more we change the less valuable our previous security report is. Within days of a security test the value of the report is degraded due to the system having changed since the report was written. With this in mind, as change occurs and no security verification is done our window of exposure grows.

  • Changes in supporting environment. 

We patch systems where we can as per our patch management policy but this is never as easy as it sounds. Patching live systems can result in negative effects to the hosted systems. Patches can break stuff!!  So we don't patch as often...On a day to day basis we are secure one day the next we have a vulnerability because it has just been discovered and made public knowledge. Annual testing does not scale to the dynamic nature of the systems we manage and own.

Automate everything

  • Highly automated is weak there are many aspects of web data flow which breaks automation and reduces coverage.
  • Highly automated solutions can result in impacting/harming live systems such as submission of 1000's of emails/tickets, impacting performance, exhaustion of system resources.
  • Highly automated solutions can submit sensitive webforms and corrupt data or system state.
  • Many vulnerability scanners can submit invasive attacks which appear idempotent but in the context of the system they are very destructive.
  • Un-tuned automation can result in DoS (Denial of Service) issues. Many scanners use excessive aggressiveness when scanning. 

Risk is not linear

  • Automation does not understand risk.
  • Risk is a human concept and needs to be assessed by humans
  • Not all vulnerabilities are equal and depends on logical context and where a given type of vulnerability is situated.

Secure the WebApp

  • Developer Code Only

Is a web application only Developer Code? It appears from various studies that circa 90% of an average web application is framework/component code and not written by the developer at all. - focusing on developer written code alone is not application security!!

  • Component Security

As an industry we don't talk much about the 90% of code running our web applications which we did not develop...funny that. - without component security you are not doing application security

Like do we maintain components/frameworks as we patch OS's??  - No hope. 
Do we have a component security policy the same way we have a patch management policy?  - Nope

  • OS Security

65% of vulnerabilities are due to poor patching, misconfiguration or deprecated services. Yep 65% of vulnerabilities - edgescan vulnerability stats report 2015. "Hackers don't give a Sh1t" so if you have focused on web app security only they shall come in via the OS! Make sense?

  • We use SSL - (yes I've said it) - People still say this - No idea why given SSL V2 and V3 is broken!!

  • We use a WAF - (again more bullsh*t). Logical vulnerabilities, Behavioural wekanesses thats where the money is anyways!! Your WAF don't mean diddly on its own as it only detects technical attacks, not logical weaknesses.

edgescan is a cloud-based continuous vulnerability management service. It is a highly accurate SaaS (Security-as-a-Service) solution which helps clients to discover and manage application and network vulnerabilities (full-stack information security) on an ongoing basis. All vulnerabilities are verified by our security analysts which results in accurate, false-positive free vulnerability management. edgescan has been recognised by Gartner as a “Notable Vendor” in the Magic Quadrant for Managed Security Services 2015.

Wednesday, August 26, 2015

Risk - Medieval approaches to AppSec

Vulnerability management involves a little more than finding security issues in code and/or hosting systems......I find that much of the industry does not understand that vulnerability management, penetration testing, threat detection, endpoint detection, malware prevention and even anti-virus services and tools are about managing risk.
Managing risk is about reducing it to a suitable level based on the cost of reducing it in the first place. There is no point in spending lots of time and effort on an issues which have little impact or which are very unlikely. Firstly what we want to to reduce the impact of the stuff which has a decent chance of occurring and would be a real pain in the ass if it happened, it would disrupt our business etc.
"A situation involving exposure to danger..."
So blindly throwing tools at a problem to help discover risks to your business is not going to work....but why??
  • Tools don't understand Risk: automated tools cannot give you an idea of risk. They find technical bugs wherein they manifest themselves into security vulnerabilities if they introduce the potential of risk. A tool does not understand what a risk is in the context of "a situation involving exposure to danger..." Tools find bugs. - Blessed are the tool makers whom hand craft the tools of the interweb to detect systems unworthy of the title "secure". - Nobody expects the Spanish inquisition!!
  • People will not understand Risk without understanding what is at Risk: So to understand a potential risk faced by a system the individual making the risk based decision needs to understand the system. The fact remains most security folks don't have time to understand what the system is/does and therefore cant apply a reflective relative risk assessment. - “The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown”
  • Tools may discover risk in a risky way!!: Many security assessment tools are not designed, out-of-the-box to be production safe. Production safe testing requires rule tuning such that detection of technical vulnerabilities does not invoke invasive or disruptive tests. We dont want our assessment methodology to damage our sick patient. - "Our chief weapon is surprise, fear and surprise; two chief weapons, fear, surprise, and ruthless efficiency! Er, among our chief weapons are: fear, surprise, ruthless efficiency, and near fanatical devotion.."
  • Risk Based approach - Really?? Wow!: All risk management is based on er, um Risk. If you hear someone talking about "A risk based approach when discussing Application security" ask them "what is the risk of of a kick in the ass?" Or "What other approaches are there?" - “A ship is always safe at the shore - but that is NOT what it is built for.”
Vulnerability is the state of being open to injury...
  • All vulnerabilities are not created equal: Bottom line is how open are you to the possibility of said injury? How bad can the injury be? We don't need to fix all the bugs just the ones that matter (and that which may injure the business or your clients). To understand "what matters" you need to understand the context of the issue. Tools alone can't do this, that's why we developed

Thursday, April 16, 2015

Security as a Service / MSS.....Why?

Security as a Service / MSS.....Why?

A number of factors are driving the need for managed security services (MSS) which are namely expertise, cost and consistency. 

Key concerns when considering an MSS should be included as detailed below:

Cost: The associated cost benefits of using some MSS providers may appear a very attractive proposition. 
MSS provides the ability for a company to have deep security expertise without the associated cost of full time employees. 

For example our edgescan™ service gives our clients access to our security engineering team whom manage the security posture of their assets. A managed service should give you the ability to reduce your Capital Expenditure and control your security-spend without sacrificing quality.
Using an MSS, you can maintain your security posture but reduce overall Cost of ownership.

Accuracy: Security is about covering all the bases; a defender needs to manage all vulnerabilities, whilst an attacker needs to exploit only one (vulnerability).

Accuracy covers two aspects of MSS;
  1. Firstly the ability to detect and manage discovered vulnerabilities with confidence
  2. Secondly to reduce the time required by the business to patch, fix or configure due to the quality of the vulnerability information delivered via the MSS provider.

For example, our clients value the hybrid approach we have to vulnerability management which involves human validation of every discovered vulnerability and results in virtually “false positive free” security intelligence.

Your MSS should provide you with accurate, actionable security information.
Compliance and continuous management

Threat & Vulnerability management and meeting compliance requirements via  a 24/7 security assessment remain the primary drivers for considering an MSS. 
Your MSS should assist with demonstrating compliance and continuous improvement via management information dashboards and extensible API calls for integration into your technology “stack”.

MSS can also assist you in reallocating existing resources to other security areas, or the need to engage deeper or broader expertise than is available in-house. 
Your MSS should address requirements where you don’t have in-house expertise. is a managed security service developed, managed and delivered by BCC Risk Advisory. It's a cloud based vulnerability management platform and helps clients discover and manage system vulnerabilities on an ongoing basis. 

It significantly reduces the cost of ownership while increasing cybersecurity resilience significantly. 
edgescan provides continuous vulnerability assessment coupled with a customized reporting portal and APIs set to help you understand what vulnerabilities your business faces.

edgescan assesses the security of both web/mobile applications and associated servers, or indeed any deployed systems, giving you “full-stack” vulnerability management.

Tuesday, April 14, 2015

Red Herring European Top 100 & edgescan v3.0

Our edgescan managed penetration testing service, today announced it has been selected as a Finalist for Red Herring's Top 100 Europe award, a prestigious list honoring the year’s most promising private technology ventures from the European business region.


The Red Herring editorial team selected the most innovative companies from a pool of hundreds from across Europe. The nominees are evaluated on 20 main quantitative and qualitative criterion: they include disruptive impact, market footprint, proof of concept, financial performance, technology innovation, social value, quality of management, execution of strategy, and integration into their respective industries.

This unique assessment of potential is complemented by a review of the actual track record and standing of a company, which allows Red Herring to see past the “buzz” and make the list a valuable instrument for discovering and advocating the greatest business opportunities in the industry.

Being a Red Herring Europe Top 100 finalist has verified to us that our solution is being viewed as a strong contender in the vulnerability management marketplace and solves a very common issue in a unique and robust way

"This year was rewarding, beyond all expectations" said Alex Vieux, publisher and CEO of Red Herring. "There are many great companies producing really innovative and amazing products in Europe. We had a very difficult time narrowing the pool and selecting the finalists. BCC Risk Advisory shows great promise and therefore deserves to be among the finalists. Now we’re faced with the difficult task of selecting the Top 100 winners of Red Herring Europe. We know that the 2015 crop will grow into some amazing companies that are sure to make an impact."

edgescan v3.0 - soon to GoLive:

Major improvements of edgescan 3.0 include:
  • Better integration of third-party tools and products – an API (application program interface) extension allows users to integrate with JSON, XML, AVDL and CSV. 
  • An API which now allows for integration with third-party GRC, bug tracking, and is supported by a rich query language and customisable metrics.
  • Configurable vulnerability alerting – users can set up and receive alerts via email and SMS to keep up-to-date with vulnerability scans. In addition, so-called asset delta alerts inform customers whether servers are down, newly introduced, if a port or system has been enabled without knowledge or if a vulnerable system/service is exposed to the Internet. 
  • Improvements in scheduling – users benefit from an improved visibility into defined vulnerability testing schedules and a calendar control that displays schedules.
  • Multifactor Auth (MFA) is available for all users
  • Better user experience – a new dashboard user interface facilitates dynamic graphing and visualization as well as “one-click” image capture for reporting

v3.0 Administration Dashboard: to be deployed as "edgescan Lite" in 2015

More about edgescan on