Detectify, the External Attack Surface Management platform powered by elite ethical hackers, today announced Custom Policies Overview, a new tool allowing organizations to quickly and easily enforce custom security policies across the entire attack surface, improving security postures at the speed of business.
The automated solution enables organizations to set customizable policies for every asset based on various business conditions, discovering violations of corporate policies and remediating critical vulnerabilities before they become exploitable.
Every organization has its own security workflows and different criteria for determining acceptable risk. Ensuring an organization’s external attack surface adheres to specific internal security policies however is a major challenge. Most attack surface management solutions use one-size-fits-all approaches, only triggering alerts if they identify publicly disclosed vulnerabilities with assigned CVE scores. Unfortunately, since many critical vulnerabilities never receive CVE scores, only testing for publicly disclosed vulnerabilities is an incomplete approach that leaves the business vulnerable.
Furthermore organizations often add assets or technologies to the attack surface without ever alerting the security team, eliminating any guarantee that the assets meet corporate security standards. This leads to policy breaches that can go undetected for days, months, or even years, representing massive risk to the business. “Shifting left,” and introducing security testing earlier, is a common solution that many DevSecOps teams attempt in an effort to catch vulnerabilities pre-production. However, Detectify research shows why this approach is not feasible for organizations with large, dynamic attack surfaces
Every organization has its own security workflows and different criteria for determining acceptable risk. Ensuring an organization’s external attack surface adheres to specific internal security policies however is a major challenge. Most attack surface management solutions use one-size-fits-all approaches, only triggering alerts if they identify publicly disclosed vulnerabilities with assigned CVE scores. Unfortunately, since many critical vulnerabilities never receive CVE scores, only testing for publicly disclosed vulnerabilities is an incomplete approach that leaves the business vulnerable.
Furthermore organizations often add assets or technologies to the attack surface without ever alerting the security team, eliminating any guarantee that the assets meet corporate security standards. This leads to policy breaches that can go undetected for days, months, or even years, representing massive risk to the business. “Shifting left,” and introducing security testing earlier, is a common solution that many DevSecOps teams attempt in an effort to catch vulnerabilities pre-production. However, Detectify research shows why this approach is not feasible for organizations with large, dynamic attack surfaces
- It assumes a linear development process which few companies have - 41% of companies surveyed believe shifting left is not feasible and a further 58% believe it can only be applied in specific instances.
- While shift left only introduces minutes into the development process, it can take hours to resolve severe vulnerabilities in production, thereby increasing the risk associated with the vulnerabilities that make it through development.
- It forces organizations to rely upon public rating systems and disclosure processes (e.g. CVSS and CVE) for prioritization. However 35% of the vulnerabilities reviewed by Detectify’s private network of ethical hackers did not have a CVE assigned.
Custom Policies Overview gives security teams the ability to create customizable policies that automatically identify violations of corporate policies as soon as they are brought online. Many security companies offer rigid solutions, forcing customers to choose from a menu of pre-set conditions that often do not apply to their business. Detectify is the only vendor that allows security teams to run policies on security headers at scale, automatically identify open ports that, according to company policy, should be closed, and more. Custom Policies Overview is truly custom, built upon rules that customers define for themselves based upon their own business context.
“Security is not one-size fits all,” said Rickard Carlsson, CEO and Co-Founder, Detectify. “No one has an entirely linear development process, and every organization has a different definition of acceptable risk. Security teams need to apply their own unique security policies for corporate assets based upon business context. Doing this manually is time intensive and not scalable, leading to bottlenecks. Custom Policies Overview allows security teams to enforce security best practices without slowing down critical business operations.”
Using an “IF-THEN” structure, Detectify brings visibility back to security teams, providing real-time insight into anomalies in production before they become risks even if security was not part of the development process, allowing security to enforce security best practices without becoming gatekeepers. Custom Policies Overview is available now.
For further information visit detectify.com/attack-surface-custom-policies
About Detectify
Detectify sets the standard for External Attack Surface Management (EASM), providing 99.7% accurate vulnerability assessments. Product security and AppSec teams trust Detectify to expose exactly how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks crowdsourced through its global community of elite ethical hackers, exposing critical weaknesses before it’s too late. Go hack yourself: detectify.com
“Security is not one-size fits all,” said Rickard Carlsson, CEO and Co-Founder, Detectify. “No one has an entirely linear development process, and every organization has a different definition of acceptable risk. Security teams need to apply their own unique security policies for corporate assets based upon business context. Doing this manually is time intensive and not scalable, leading to bottlenecks. Custom Policies Overview allows security teams to enforce security best practices without slowing down critical business operations.”
Using an “IF-THEN” structure, Detectify brings visibility back to security teams, providing real-time insight into anomalies in production before they become risks even if security was not part of the development process, allowing security to enforce security best practices without becoming gatekeepers. Custom Policies Overview is available now.
For further information visit detectify.com/attack-surface-custom-policies
About Detectify
Detectify sets the standard for External Attack Surface Management (EASM), providing 99.7% accurate vulnerability assessments. Product security and AppSec teams trust Detectify to expose exactly how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks crowdsourced through its global community of elite ethical hackers, exposing critical weaknesses before it’s too late. Go hack yourself: detectify.com