An Event Not Worth Missing
An Event Not Worth Missing
One of the first, and perhaps most important, steps of any pentest is the reconnaissance and threat modeling process. At Software Secured, the threat modeling process helps our security engineers to understand the business logic and develop custom security test approaches. Every application is quite different and without understanding the business logic of the application and ways it could be abused, many vulnerabilities would go undiscovered. Threat models range in variety from simple applications that can be tested quickly, to complex applications that have multiple layers of complexities, multiple set clients, internal and external integrations, different client types and several integration points. At Software Secured, threat modelling is essential to all pentests, regardless of an application’s level of security maturity. An application can start threat modeling even before development. And then as an application matures in security, the threat model evolves as well.
Solace is a middleware company based in Ottawa, Ontario. Their mission is to help enterprises adopt, manage and leverage event-driven architecture, with a complete event streaming and management platform. Within their platform, a user can build event meshes to steam events across environments and visualize and govern event flow across an enterprise. Users can even design, discover, share, and manage their own events. This type of application poses an interesting challenge for application security. As an event-broker system, the application manages a large amount of customer sensitive data through multiple internal and external sources.
As Solace started to serve large enterprises such as RBC, SAP, and the London Stock Exchange, their need for a partner in application security grew as well. In their mission to improve application security, Solace was looking beyond just hiring a pentesting vendor.
Rather, they were looking for someone who could act as a partner in application security that can help identify security gaps, provide consulting and offer remediation support in addition to pentesting. Far from looking at pentesting as just a necessary checkbox in their security questionnaires, Solace envisioned security more of an engineering pillar just like architecture, DevOps, and support. Software Secured’s Penetration Testing as a Service (PTaaS) offering was the perfect match.
For Solace, including Penetration Testing as a Service as part of their development team allowed them to integrate security as an integral part of the engineering and release teams. As such, developers received early and continuous feedback before major releases directly from Software Secured’s security engineers through a private Slack channel. This level of communication access, testing availability and remediation support accelerated the security feedback loop. Finally, using PTaaS provided Solace’s sales team with access to an always-updated pentest certificate which verified their commitment to ongoing, deep, manual testing. In turn, this showed potential enterprise vendors Solace’s dedication to the highest level of security standards and proactivity in being a leader for secure middleware companies in Canada.
301 Moodie Dr. Unit 108, Ottawa, ON, K2H 9C4