Last updated at Tue, 12 Dec 2017 19:44:52 GMT
When I was younger, one of my favorite gifts was a magic kit. My dad did magic tricks with cards and rope, and whenever I asked how he did it, he’d say, “A magician never tells his secrets.” Part of why I loved that gift so much is I got to be the magician—and I got a glimpse of the secrets.
Whenever I spend time with the Managed Application Security team at Rapid7, I feel like I did when I was younger: excited to learn about how the magic works. Here are some of the secrets I’ve learned.
Application Security Services Help Maturing Companies the Most
Organizations who choose Application Security Services often do so because their IT and Security teams are maturing. Rapid7’s Managed Application Security Services offer help and expertise to the team. We've found that many younger organizations both recognize the importance of application security and acknowledge that they don't have adequate people resources to do the work. That's where we come in.
Rapid7 Does Application Security Better
Rapid7 combines people, process, and technology to do Managed Application Security better. Our team of cybersecurity and development experts sets up and runs scans for customers and then monitors those scans to make sure they run smoothly. Once the scan results come out, they validate vulnerabilities and help the team prioritize remediation and risk. This sounds simple, but it can take many hours or days to perform depending on the number and types of applications. This is why the people matter. The team is made up of true application security experts who know what to look for—and they do it fast. Their experience and expertise significantly cuts the time it takes to review scans and validate vulnerabilities. They then deliver reports to the customers and are available to discuss results and help solve for them. Vulnerability validation is just the beginning.
What the Team Discovered
One of the reasons our team is able to go beyond running web application security scans and validating vulnerabilities is the simple fact that they’re curious people with deep attacker knowledge; in other words, they’re hackers at heart. Recently, something looked off in one of the team’s application scans. It turned out that they had discovered an application vulnerability that was making all customer invoices searchable on the public web. When they realized they could see one invoice, they dug deeper, like any smart attacker would. They knew what to dig for, and as a result, they were quickly able to help the customer resolve it.
Before I asked our magicians to reveal their secrets, I had no idea that it was possible to make all of your invoices public, but exposing sensitive data like this is a huge risk—especially for smaller companies without application security programs. The trick to solving problems for customers is combining excellent tools and an abundance of curiosity in a team of experienced professionals but the real magic comes from having access to this team, and therefore to a world of discovery that was previously hidden behind a curtain.
Learn more about Rapid7’s Managed AppSec Service.