Launched in 2015, Yapster runs a mobile communications platform in AWS to align and inspire hard-to-reach colleagues. With 800,000 users and over 500,000 messages sent per month, the platform is going from strength to strength.
As an innovative business new features were being introduced on a weekly basis as they were aiming to compete with market leaders. The cyber security team had high standards and mandated a penetration test was a prerequisite before every release.
As part of our scoping process we analysed Yapster’s agile devsecops pipeline and estimated the amount of days needed per annum. Initial projections quickly reached an investment outside of the current budget. The customer saw the need to take a new approach to security testing and asked for our input in devising a plan that would offer ROI without compromising their cyber posture.
Whilst Penetration Testing is a proven method to discover vulnerabilities within an organisation’s external systems, regardless of how thorough a penetration testing engagement may be, it is limited to a snapshot in time. A system that may be considered secure today may be found to be vulnerable to a critical security issue tomorrow. The Continuous Security Testing managed service is designed to run alongside an existing penetration testing program to ensure security vulnerabilities don’t go unchecked between engagements.
Continuous Security Testing combines manual penetration testing activities, delivered by qualified penetration testers on an ongoing basis, with additional automated security testing. This ensures that online assets are continuously assessed for vulnerabilities and alerts raised when issues are detected. Many companies perform in-house vulnerability scanning. However, automated solutions have two key challenges to ensuring a successful scanning program: interpreting the results and ensuring scan quality.
- Analyse the predefined scope given by the client to determine omissions and system changes overtime, such as new systems, services and applications being added.
- Test exposed applications, infrastructure, and cloud assets known vulnerabilities, missing patches, and security misconfiguration.
- Deep-dive into exposed applications to determine vulnerabilities introduced through bespoke systems such as those covered by the OWASP Top 10, which includes safe exploitation of complex issues such as SQL Injection and Cross-site Scripting to eliminate false positive findings.
- Report findings continuously in vulnerability alerts to eradicate the usual delay caused by vulnerabilities only being discovered through standard penetration testing.
- Find out about critical vulnerabilities as soon as possible.
- Keep your organisation informed through monthly digests of new vulnerabilities that highlight successful remediation work.
Specific AWS services in scope included:
Results and benefits
Not only did the customer see a business benefit in Claranet testing and reporting 24x7 / 365 their security approach was never compromised. Claranet’s CST team are now seen as an extension of Yapster’s cyber security personnel. The reduced mean time to detection from months to minutes allowed the development team to meet release deadlines more frequently. As vulnerabilities are reported in real time, fixes can be applied at any time.
The Continuous Security Testing managed service addresses these challenges by employing a team of Penetration Testers to manage the testing process and analyse vulnerabilities as they are found. The team provides concise and detailed vulnerability alerts along with regular reporting of your security posture. Continuous Security Testing will also alert you when changes are detected within the environment to ensure maximum coverage of the attack surface.
- Gain insight into vulnerabilities significantly faster than through traditional penetration testing with vulnerability notifications as new high-impact issues arise.
- Supplement the team with security experts who provide dedicated vulnerability guidance, information on real-world risk, and remediation advice.
- Meet compliance requirements which call for regular security testing.
- Make security testing a continuous process to allow for on-going security, instead of an annual obstacle to the business