22 Jun, 2020

Why 6 Security Assessments Are Better Than 1

by nVisium

In addition to helping the world deal with pandemics like COVID-19, the CDC recommends that you get annual health checkups. For many this is a way to prevent illness or catch potential problems before they become too bad. Taking a page from personal health and applying it to the health of your IT infrastructure means that you should consider annual checkups for security vulnerabilities as well. The corollary for a Chief Information Security Officer (CISO) is a security assessment.

What is a security assessment?

Security assessments are to IT as annual health checkups are you the average person. According to CIO Magazine:

“A security assessment is a request to analyze the risk of an IT solution. The request is initiated by a CISO (Chief Security Officer) or ISO (Information Security Officer) within a corporation. It is used to make sure that security concerns are met before changes are made to the information technology infrastructure. There are foundation plans which evaluate the state of new applications or infrastructure. Or there are incremental plans that address changes to the foundation plan.”

Once an assessment is complete, you will get a risk summary that is usually separated into two categories:

  • Inherited Risks: these types of risks are generated by the standard libraries and utilities used by many programs. So for example if you are using Active Directory (AD) as part of your program and AD develops a vulnerability then your program by definition will have that vulnerability.
  • Non-inherited Risks: these types of vulnerabilities are the result of poor coding or testing practices and are uncovered in code and processes that have been generated outside of inherited risks.

Of paramount importance is a recognition that not all security vulnerabilities and risks are created equal. So, the likelihood that you may need six assessments instead of just one is high.

the 6 types of real world security assessments

Not all security assessments are created equal. Ultimately you will need to target a specific area for maximum impact. The six area of focus and their corresponding considerations include:

  1. Applications: Securing software for web, client, and server applications requires modeling systems like an attacker would and pinpointing areas of weakness that can be exploited. You will need to provide secure code reviews and web application penetration testing to identify security bugs and flaws while helping development teams rapidly remediate any discovered issues.
  2. Internet of Things (IoT): The Internet of Things (IoT) presents its own unique set of security challenges and requires a broad skill set for assessing. You should aim to secure your IoT devices and corresponding infrastructure through source code reviews, dynamic software and hardware testing, forensic analysis, and reverse engineering.
  3. Networks: Your on-premise, cloud, and hybrid network environments are under continuous attack. So, your network security assessments should explore the digital footprint of an organization and rigorously test your organization’s defenses ability to withstand attacks.
  4. Mobile: Your mobile assessments should explore how an application can expose security and privacy concerns for users and determine how to prevent these issues from happening. You will need a partner that specializes in iOS and Android security and focuses on discovering how security controls can be circumvented in order to breach client-side and server-side defenses.
  5. Cloud: In order to successfully maintain secure cloud software infrastructures as well as guide teams into the cloud securely you will need a partner that has deep expertise with AWS, Azure, and GCP and supporting multi-cloud deployments.
  6. Cloud Native: Building systems the Cloud Native way offers security opportunities as well as new challenges. You should perform security testing and help protect Kubernetes, Docker, and the microservices that power your software.

A security assessment should go beyond just identifying security defects. You should expect a focus on help for meaningfully triaging and fixing vulnerabilities discovered during testing. When selecting a vendor look to see if they provide exceptional remediation advice, which is specific, actionable, and aimed at reducing engineering overhead typically associated with mitigating security issues of each unique area of assessment.

identifying weakness before it's too late

Why chance being the next headline that announces a breach in your security? Can you really afford the negative impact on your brand on top of the cost of the security breach? And a wise person one said “An ounce of prevention is worth a pound of cure.”

nVisium leverages a testing methodology that is both comprehensive and targeted. We integrate with your team’s existing development processes to help build a more robust software security program within your organization. Each member of our team has an extensive background in both software engineering and security. We have expertise in Java, .NET, Node, Angular, Ruby, Python, Scala, iOS, Android, AWS, Azure, and more. We stand by our work and take great pride in developing security solutions for our clients. Additionally, nVisum provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.

nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Call us when you are ready for security assessments to test the vulnerability of your applications, Internet of Things (IoT), networks, mobile and cloud.   Schedule a demo today.

security assessments DevSec cyber breaches

RECENT POSTS