The first step into a transformation is knowing where you are. Xebia security can assess your organization in various ways:
- Architectural reviews against industry standards like the Amazon Well Architected Framework
- (pair) pentesting to identify weaknesses and vulnerabilities in your applications, infrastructure, and build pipelines
- Maturity assessments to identify gaps and alignment problems in your processes and organization
An architectural review aims at identifying architectural or procedural weaknesses that are hard or impossible to find with regular testing. This review is conducted with key stakeholders, like project managers, system engineers and developers. An architectural review measures against best-practices and guidelines. These can be specific guidelines for platforms, systems or applications (e.g. CIS benchmarks or the well architected framework principles from amazon), or general guidelines for information security (e.g. ISO27001/2 or SOC2). Optionally, we can include documents provided by the customer for use in the audit.
Any assessment for gaining assurance in the security of an IT system will have time consuming activities to transfer knowledge between the parties involved. In the beginning the pentesters needs to construct a model of the intended functionality and the actual implementation. And at the end the development team needs to understand what the issue is, how to resolve it and why it was there in the first place to prevent future incidents. This waste can be reduced, and the quality of the outcome can be raised by pairing our ethical hackers with your team members during the penetration test.
Pair pentesting allows the business perspective to be an integral part of the activities and deliverables as well as real-time improvements within the system and the way of working of the team. The pair pentesting approach has proven to be more effective than white box or even crystal box pentesting.
Your security improvement strategy should aim for the activities that fit your development and operations teams. There is always something to improve, but it must remain a balance between effort and reward. Our maturity scan will point out which improvements are most beneficial for your business.
The result of our maturity scan is a list of short-term improvements as well as a roadmap to the future. This roadmap will contain specific advice and recommendations on how to close the gaps needed to bring you to the desired security maturity level, and will pinpoint where to start exactly with the transformations