Concerned that your applications are adding risk to your network? You should be! According to SANS 2016 State of Application Security , 41% of companies name public-facing web apps as the leading cause of breaches.
If you conduct in-house development or need to make sure your vendors aren’t polluting your network with poorly written code, AnchorPoint’s AppSec-as-a-Service solution is for you.
We help small and mid-sized organizations lacking the time and trained staff necessary to mitigate application related risk by BECOMING your application security program.How does it work?
Our service is delivered through Veracode’s application scanning technology and manually inspected by application security experts. You get actionable reports from each code review that your developers can use to immediately fix vulnerabilities. Our team of experts stands by to engage directly with your dev team in order to walk them through uncertainty.
The result You reduce rework, which reduces cost; the number of security flaws caught on the first-iteration is significantly increased, which reduces project duration and makes your customers happy; no more exposing vulnerabilities to the world because a proper AppSec program wasn’t in place; the total cost of each sprint/project is reduced because security is built into your SDLC.
Overview You need to add ongoing, automated scanning to protect your application infrastructure — without hiring more consultants or installing more servers and scanning tools. Manual penetration testing should be a supplement to ongoing scans.
AnchorPoint’s experts follow a phased approach to launch your program and then transition to continuous monitoring for the remainder of your subscription:
Initial Launch Phase 1 – will conduct a complete application inventory Phase 2 – quickly mitigate risk by automatically feeding intelligence directly to Web Application Firewalls (WAFs) Phase 3 – Conduct deep scans using credentials to password-protected areas of the application and feed the intelligence directly to WAFs Phase 4 – Deploy and execute a Virtual Scan Appliance (VSA) to QA environments and help protect against insider threats such as the intentional or unintentional inclusion of a “back-door”Continuous Monitoring Cycle
Before During the initial code development phase, experts recommend code-level analysis via SAST, in addition to best practices such as secure architectural design and threat modeling. Addressing security during the development phase of the SDLC produces stronger application security at lower cost.
During Both SAST and DAST are typically used in pre-production testing (during the QA phase). For highly critical applications, manual penetration testing is also recommended. Our solutions integrate with widely-used WAFs such as Radware and Imperva so you can quickly mitigate vulnerabilities via virtual patching.
Dynamic Application Security Testing (DAST) tests applications in a running state by probing their exposed web interfaces from the “outside in.” For this reason, it is often called “black box” testing. DAST typically looks for vulnerabilities such as SQL injection and cross-site scripting as well as issues that only surface when the application is running such as authentication vulnerabilities and server misconfiguration errors. It’s important to test both credentialed and anonymous access, since some vulnerabilities may not be visible to a random attacker, but show up when logging in as a known user. Random black box testing is more representative of how an outside cyber-criminal will act, but it takes longer to run and cannot exercise all data and control paths through the application in the same way that SAST does.
Since pre-production environments are usually located behind the firewall, we also provide a Virtual Scanning Appliance (VSA) . The VSA is a locally-installed virtual appliance (software-based) that provides full DAST capabilities and is fully-integrated with our central cloud-based platform. This allows local DAST results to be managed via a single set of policies and reports, in combination with automated SAST and manual penetration testing results, to maximize accuracy and minimize false positives.
After We help deliver ongoing compliance by ensuring that:
Manual penetration testing adds the benefit of human expertise to our Veracode-powered binary static and dynamic analysis — and it uses the same methodology cyber-criminals use to exploit application weaknesses such as business logic vulnerabilities.
Reducing false negative (FN) rates in your most critical applications requires a combination of multiple techniques, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and manual penetration testing.
The cloud-based platform provides a single central location for consolidating results from these multiple techniques, as well as for sharing results across multiple teams and evaluating risk using a consistent set of enterprise-wide policies.
Manual penetration testing and automated scans are two totally different tools with different use cases. Certain vulnerabilities such as Cross-Site Request Forgery (CSRF) — an OWASP Top 10 vulnerability — are only detectable via manual techniques.
We are here to help you understand when to use a penetration test and when to use a different control. For example, the practice of an “annual pen-test” is foolish to implement and our experts will tell you why. We will show you how to use penetration tests in a way that saves you money and increases security, rather than simply providing check-box compliance.
Our manual penetration testing teams consist of elite security practitioners with real-world experience finding exploitable vulnerabilities that can have the highest impact on your business.
AnchorPoint will teach your developers application security awareness and best practices with comprehensive web-based training delivered via our Veracode cloud-based platform.
We’ve found that a hybrid approach to training is most effective from retention and cost perspectives. We recommend a training package that puts AnchorPoint experts in the room with your developers to reinforce the lessons learned from the structured, online courses.
This scalable, cost-effective approach can easily be deployed across your organization at a lower cost than traditional consulting engagements. Best of all, AnchorPoint Security bundles this into one, simple, turnkey training solution with no additional hardware, software, travel or on-site training expenses.
We understand that training programs are hit or miss, at best. Sometimes, you get an outstanding instructor and you feel like the ROI is good. Sometimes, the instructor is horrible and you feel like you just wasted everyone’s time and the company’s money.
AnchorPoint eliminates this variability by guiding developers through a proven, structured, and web-based training program and augmenting that experience with subject matter experts, on-site.
We think this is the best training approach for teaching application security, but if you would rather try and track down a software developer with advanced application security knowledge who can communicate coherently with a group of people for several hours at a time – good luck! 🙂