Security Brigade InfoSec Pvt. Ltd.

Transcription

1 Monday, 20 May, 2013 An Introduction to Security Brigade Expert Driven Manual Information Security Services B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 1 Page

2 About Security Brigade Great audits are done by great auditors - not expensive tools Our Mantra Security Brigade was founded in 2006 specifically to cater to customers looking for manual application security services that focus on both technical and business logic testing. Automated tools are great and we couldn't do our jobs well without them - however they are only one piece of the puzzle. For us, the real value to an audit comes from: Integrating tools and automation to maximize auditor efficiency and eliminate unintelligent tasks Building strong processes that allow auditors to only focus on tasks where their involvement adds direct value Using our workflow driven audit management system to ensure sustained quality through approvals, reviews and benchmarks Delivering reports that don't just fill pages but also deliver real and long-term value to developers and administrators Ensuring a fast turn-around-time from audit to fixed in production by providing secure code and configuration examples A Quick Summary Founded in 2006, Security Brigade is based out of Mumbai, India and delivers services to customers in 5 continents Our core competency is in the area of Network, Mobile and Web-Application Security CERT-In Empanelled Security Auditor since April 2009 B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 2 Page

3 Some of Our Clients If reputation comes from the company you keep, then judge for yourself: B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 3 Page

4 B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 4 Page

5 Service Portfolio Vulnerability Assessment Penetration Testing Web Application Security Mobile Security Source Code Security Review Architecture Security Review Security Configuration Review Security Certification Dedicated Security Resource Management B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 5 Page

6 Core Differentiators and Value Adds As a company we tend to ignore the norm and approach things based on value delivered. The following are some of the unique ways in which we are able to add significant value to end-customers. Reports with Detailed Fix Information Our security audit reports are different in a number of ways: 1. Fix information with code examples are given for the customer s specific platform and environment. So if the customer has a SQL Injection in their PHP + MySQL website We will give them code examples for how to securely fix this issue with PHP + MySQL. 2. Step by step proofs of concepts are given for each issue. This enables the customer s team to thoroughly understand and reproduce the issue independently. 3. Reports do-not contain generic copy-pasted text. Each report is written specifically with the customer s application and network in mind to ensure maximum relevance to their situation. B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 6 Page

7 Intelligent Automation with Integration of Commercial, Open-Source and Proprietary Tools Most auditors rely on a single automated tool for every single audit. However, networks and applications today are far too complicated for a single tool to be able to do justice. Our Intelligent Automation Platform works as follows: 1. Our platform automatically profiles the target and understands various key criteria about the network or application. (Such as if the website is Ajax or Flash heavy, or if the network uses Lotus Domino Servers or Cisco Devices and so on) 2. Based on the profile that s created, it intelligently short lists tools that work best with those platforms based on internal benchmarks and past experience. 3. An auditor approves the tools and commands which are then executed by the platform. The results are then correlated, crossreferenced and presented to the auditor as a simplified consolidated view. B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 7 Page

8 Manual Business Logic and Workflow Testing Most companies refer to manual testing as part of their process, but they are only talking about removing false positives. Applications today contain a significant amount of business logic and workflow and these areas cannot be tested thoroughly through tools. 1. We go through the complete application and map its modules, sub-modules, pages, parameters, data flow, and workflow. 2. Based on this information, we prepare test-cases of all possible abuse scenarios that could take place for each component. 3. This abuse scenarios are tested, reviewed and executed based on which a TRUE or FALSE status is applied to each issue. 4. This process lets us identify significant critical vulnerabilities that are impossible to find through automated mechanisms. B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 8 Page

9 Deliverables For A Security Audit Executive Presentation Detailed Technical Report Excel Fix Tracker High level summary of issues Key metrics and analysis Impact and root cause analysis Action items for remediation Detailed proof of concepts Fix information with source code and configuration examples Specific to your network & applications Track fix status of issues Manage timelines for fix Manage responsibilities for fix Summary of action items Issue & Fix Tracker B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 9 Page

10 Free Demo or POC Audit for Evaluation of Services Public link to website Time window for activity You Provide We Conduct Non intrusive audit Identify a few critical issues Identify business logic issues Highlights impact of issues Live Demos Business Impact Our Report You Gain Validation of existing security controls Demonstrable need for security audits Conducting a free proof of concept audit is one of the strongest tools to demonstrate our competency and differentiation - as it very clearly demonstrates the need, potential business impact and value of our services. It requires no commitment from the customer and we only require a link and timeframe (if any) Takes less than 1 hour of manual effort from our end and reports can be delivered within 1 day Demonstrates high impact vulnerabilities with screenshots of data and other sensitive areas we can access B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 10 Page

11 Engagement and Pricing Models One Time Model Scope Single Audit On- Demand Model Scope Fixed pricing for a group of applications to be audited on-demand Annual Security Package Scope Fixed package of services on annual basis delivering end-to-end security Billing One time pricing based on SoW Billing As per utilization billed monthly Billing Fixied annual pricing billed quarterly Benefits Ideal for customers that are only interested in a single engagement Benefits Ideal for customers with a dynamic environment where new applications are released frequently Benefits Ideal for customers looking for end-to-end security solution B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 11 Page

12 Service Level Agreements To offer maximum assurance to our customers, we try and meet any and all reasonable SLA requests. Our standard SLA that is offered to customers is given below. Standard SLA Guarantee and Penalty Clause On completion of our services, the customer may at its sole discretion get the services verified by a third party. If the third party is able to identify additional vulnerabilities in comparison to our security audit that are labeled as Critical or High Risk, we will be liable as follows: 00 10% Additional Critical / High Issues Found - No Refund (Accepted Margin of Error) 10 20% Additional Critical / High Issues Found - 25% Refund of Service Fees 20 30% Additional Critical / High Issues Found - 50% Refund of Service Fees More than 30% Additional Critical / High Issues Found - 100% Refund of Service Fees Terms and Conditions 1. The third-party audit must be conducted with identical conditions as on completion of engagement including web-applications, application servers, firewalls, IDS, IPS, proxies and any other factors directly or in-directly affecting the audit. 2. Any additional changes made to the web-application, firewalls, IPS/IDS and any other factors directly or in-directly affecting the target system or web-applications since completion our services must not be included in the third party s scope of work. Any vulnerabilities coming out as a direct or in-direct result of these changes will not be considered in-relation to this penalty. 3. Claims made by the end-customer and vulnerabilities identified by the third party under this penalty clause, must be verifiable and confirmed by our technical team. B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 12 Page

13 Thank You!! and Please Do Reach Out to Us for More Details Mumbai Office B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai , Maharashtra - India Telephone: mumbai@securitybrigade.com Italy (Sales Office) Telephone: pisa@securitybrigade.com USA (Sales Office) Telephone: usa@securitybrigade.com B/20 3rd Floor, Everest Building, Tardeo Road, Mumbai P E contactus@securitybrigade.com 13 Page