With 100+ web-facing applications in deployment, this firm required continuous, authenticated assessment of a sprawling global attack surface.
About the Client
This enterprise carries a high level of threat exposure by nature: its products and services are delivered entirely online in a rolling user experience via dozens of web-facing applications that together make for a varied and intricate attack surface. The client’s internal security team sought a vulnerability management service that would yield a list of actionable findings, free of false positives, which they could assign and remedy internally.
Once security gaps were addressed, the firm required regular assessment of the adjusted security posture as well as retest-on-demand capability. The security team also sought a specific authenticated assessment that could simulate an attacker with valid credentials attempting a security breach on both desktop and mobile web applications.
About Edgescan
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.
With Penetration Testing as a Service (PTaaS), Edgescan probes and challenges the attack surface of the client’s assets with both the breadth of automation and the focused depth of expert human testers.
Onboarding
The client was set up with API and Jira plug-ins in order to directly integrate Edgescan’s verified vulnerability data into their own systems, accessed through a dashboard that doubles as a base of operations for their updated security plan. Then Edgescan went to work, rating each web-facing application for vulnerability and systemic importance to deliver risk-rated findings on where the firm’s most critical security gaps were identified, at which point the internal team could begin the remediation process for those threats on a priority basis.
Test and Retest
With this challenging exposure profile, the attack surface requires constant monitoring with authenticated vulnerability assessment for the 100+ web applications under management. This includes Penetration Testing as a Service (PTaaS), a hybrid solution that combines the breadth of automation with the depth of human assessment from a battle-hardened team of security experts with industry accreditations such as CREST, OSCP, and CEH. Their deep experience provides critical insight that dovetails neatly with the breadth and scope of the platform’s automated penetration-testing services.
Integrated with Edgescan’s advanced vulnerability management service, this system can automatically validate risk, then rate those threats against a suite of risk databases to prioritize remediation and ensure critical exposures are addressed first. Assessments occur on both a scheduled and an ad-hoc basis, as required by the client.
Outcome
Within the first seven days, Edgescan discovered and validated 55 high-risk vulnerabilities, publishing them in the dashboard for the client’s review. The internal security team then addressed those security gaps over the coming months, and in each case, Edgecan verified the effectiveness of the firm’s remediation tactics. With a new security posture in place and continuous re-assessments of the web-facing assets underway, the client could have new confidence in the hardiness of the expansive attack surface and request a specific re-assessment of any and all assets’ vulnerabilities at any time in the interest of maintaining that secure posture.