Feeds:
Posts
Comments

Posts Tagged ‘Application Security’

This is typical scene and context you will hear before.

User make contact to help desk, yesterday still can access application, but today they encounter problem… due to developers make change and implement new functionality, and helpdesk support are not aware of it. DevOps support is challenging, in particular outsourced scenario.

For uncontrolled DevOps adoption at the rapid speed without consideration of helpdesk and users will happen and disrupt the operation. The promise of adopt DevOps and get business needed functionality at the business speed, using various continuous integration (CI) and continuous development (CD), continuous delivery and continuous deployment. With the strong believe users can aboard small, incremental changes introduced through a DevOps methodology without disruption of the business operation. Those are ideal scene. But we saw lot of large change and implemented in the bad way without coordination. For in-house developer maybe the disruption maybe less compare with outsourced due to accessible of the in-house developers team. But overall, that indicate the problem and issue where developers are not the good communicator and coordinate the smooth transition. A better approach bring in helpdesk and some user in the project line steering community group to make sure all the impact is noted and move in the manner every party can make their own contribution is the key. In the end, it is enterprise change, no just about developer developed application. Application required user to use and helpdesk to support.
For the best way is developer make use of system and tool where can provide user and helpdesk aware of what is going on, automation and integration to push all the needed information into respective group in their format of choice or what they used to. That will help to streamline and minimise the business disruption for the entire enterprise.

Feel free to contact E-SPIN for the various system and tools that we represented that capable to provide effective and efficient DevOps support for developer, helpdesk and user. From source code static application security testing (SAST), to dynamic application security testing (DAST), integrated platform, just to name some key result area (KRA) we can instant help.

Advertisements

Read Full Post »

Vulnerability Management Beyond E-SPIN

World keep changing and in the rapid way. No long ago we saw the changing landscape technology introduce by vulnerability management with “container security”. We can use to divide those who had it, work on it, and do not see it is part of the solution they will willing to integrate or work with 3rd party for it.

For past five years, for the initial introduce of Cloud Security and cloud based vulnerability scanner to vulnerability management. And now for those who possess it growing in the internet time be the large few player in the market. World keep repeat the same way, technology keep introduce, you either adapting it or you are out from the business. We saw player exist the market as well in the five year horizon, as the market, no really that long. If you can not commit resources for the head to head competition, better you give out and focus on other area you had the core strengths and competency.

As the industry established for so long, traditional vulnerability management (VM) market we saw long of changes, new technology, takeover, out of business, change of vendor direction, change of business model.

This article focus on few interesting topics.

Traditional vulnerability management market is now full of commercial and open source player. Include as well threat management (TM) player now offer vulnerability management (VM) through horizontal/vertical forward and backward integration or expansion. From the market and user point of view, total and unified solution, provide lower total cost of ownership continue to be strong value proposition. Unless it is hardcore and expert users, who depend on the specialized and more technical advance/complex tool and product solution, else generic and all-in-one product continue to provide massive benefits and market. It matter for the value, if you can not provide better functionality, then need to pricing right for it.

For professional and expert user who really know what it want to accomplish and possess the know how to do so. We are no surprising they use open source tool if they had the competency to do so.

Want we see most in the enterprise market is buyer more prefer report friendly tool and simple to operate and more “automation” feature set. This continue to be market dominance approach for big player, who will forward proposing more and more feature and functionality in the comprehensive offering. All commercial player aim to be prefer vendor for the chosen one.

For majority of buyer, most of them will settle down for generic all in one vulnerability management tool or suite, from affordable unlimited IP to those solution allow small IP node asset count, rather than commit huge IP block. Beware of the open source alternative keep provide alternative check whether the investment out weight the cost.

Few area of development is worth to following closely.

Toward Cloud. Despite it still had some very traditional industry and market do not accept cloud, but it is future proof and evidence all over the world how the cloud architecture solution do benefits the enterprise who adopted it. More and more enterprise infrastructure is migrated over cloud, if you still left behind in the cloud adoption in the right way, for sure, you will be spend lot of resources in the old fashion way. Cloud is not just about hosted on cloud, it also about automation, “cloud” system that go beyond traditional, capable to concurrent scan said 100k IP node at the same time. Just imagine, how much time you need to perform 100k IP assessment for the scanning if you do not do in the cloud way. It help the enterprise saving lot of time and money. More important, it provide the speed that traditional way can not be match. Scalability is another area, as they do not need to size up hardware and user is always paid by using thru subscription model, so no capital expenditure involved. Most of time we saw lot of people develop mis perception or maybe previously they are engage by no professional people mis to educate them correctly, and mis the opportunity to alignment the company resources for rapid business and technology transformation forward.

Container security. It a must for certain industry now. If your core business is on streaming video or data to mass market. Traditional vulnerability management fail on this due to speed and massive of streaming data they can not cope, this is why “container security” come in the age as the world evolved and require new form of technology.

DevSecOps. World toward cloud, online and speed, and adopted to DevSecOps as the way for be future forward and relevancy. Traditional way for separate process and wait for each other complete their stage before move to next stage manner is yesterday practice. Business now day demand application now and secure it immediately, where demanding for the automation, integration and instant end to end process. For traditional said just focus on dynamic application security testing (DAST) will found it out from the demand, where now the requirement is also provide static application security testing (SAST). Technology vendor who can provide it both and capable to integrate, automate all the process and workflow continue be relevant and needed for the future to come. Else, you need to lower your product pricing due to less value you bring into enterprise user use case and fulfil their business requirement.

Unified security, from infrastructure security to application security. Traditionally we saw player divide by the area, said application security, or enterprise vulnerability management field. As the market demand for the speed, we saw player from application security offering generic host vulnerability scanning. Same as well infrastructure security vendor offer application security or niche technology in their product suite portfolio (whether they take over another company or build in house for the technology).

Vulnerability correlation (VC) in more holistic and broaden area to make the data, intelligence can be leverage by other department and key result area (KRA). For example, for fit into Governance Regulatory and Risk Compliance (GRC) solution, co exist with Security Information and Event Management (SIEM) / Security Operation, provide vulnerability data for network and application security protection system for temporary “seal” the vulnerability to buy time for the developer fix their system, the opportunities and use case is limitless for leverage the information to benefits lot of related systems.

Vulnerability validation and exploitation testing or manual penetration testing. We expect the vulnerability management player either provide 3rd party support or integrated vulnerability assessment and pen-testing into single suite of product. This is also very appeal area we will look forward for the significant development. Surprising in case you are still no aware, it only had few main player on pen-testing, but we had lot of VM player. We also saw the recent development of pen-testing vendor offering VM as way responding to the market changes.

E-SPIN Group is active involved in vulnerability management and penetration testing (VMPT) business since 2005. We work with various of VM and PT supplier vendor and offering them as part of the solution that work for the enterprise market we served across the region of countries we do business. Feel free to contact our solution consultant for the business and partner requirements and opportunities.

 

Read Full Post »

unified-vulnerability-management-suite-espincorp.png

Background

With the recent Gartner published new market guide with the introduce of “container security” be part of the vulnerability management, Tenable be the only one possess that by bought over FlawCheck last year and introduce Tenable.io platform in the market, the market change again.
Tenable.io also introduce web application security (WAS) as part of the platform offering. With Container security and web application security, it now cross over to leading container security and enter into what we traditional called application security market (traditionally occupied by web vulnerability scanner and static source code analyzer vendor). Rapid7 from the past bought over NTO and enter into application security as well, by rebranding it as AppSpider product. We will expect all will catch up on the container security, most likely acquired existing player who offer it.
Technology keep changing from years, where from the past on the cloud and online, software as a service (SaaS) model, with emerge of Qualys as the leading player on that field. With the latest acquired and integration of other new technology take place, the real differentiator for major player become minimal, we can expected major vendor will try to introduce unique and specialized area and be differentiate themselves over another (take over, merger and acquisition is the obvious option for enter market rapidly) .
With application security in depth alone, traditionally Tenable do not enter in the past, where dominance by web application scanner offer dynamic , static application security testing technology (DAST, SAST) or new interactive application security testing (IAST). We can expect the market will be changing again.
Traditional vulnerability management or specialized web application scanner become more generic offering, and the price point is bring down significantly as technologies matured and more me-too product introduce in the market. Available of open sources alternative, let enterprise market who willing to paid for commercial offering being the primary target for all the commercial vendor.
We also saw the trend for traditional penetration testing tool vendor attempt to enter vulnerability management market. With the Rapid7 acquired Metasploit in the past and the recent Core Security make the vulnerability management offering.
We also see the trend for company used to offer SAST now try to enter DAST in application security field. For mobile application security testing (Mobile AST) as new technology also rising demand for today mobile application driven business.
On the other end, we saw the smaller vendor who previously focus on one tool product now day also attempt to expand their offering to large audience. Big player is extend their product with niche product/ to penetrate those previously recognize as niche as well.

Future of Vulnerability Management

Predicting for near future product-market

future-of-application-security-market.png

  • Mobile application security testing (Mobile AST) will be included in Application Security Testing (AST) tool market (together with DAST, SAST, IAST).
  • Container Security will be one of the unique, and slowly all the major player will incorporate into their offering (whether as a option or bundled).
  • Unified of vulnerability management and application security in the near future (and eliminate some of the player that can not transit over the new changing market reality).
  • Standalone and niche focus product that easy to be use continue to be play a role in the market for those who look for solving specific purpose, both generic and specialize product /tools continue to be available for those who need them.
  • Shift left (move from product security to software development) trend, more and more customer look for integrated tool to streamline the vulnerability/security fixing cycle as early as at the early development process.

security-risk-mnagement-SRM-espincorp.png

  • Trend toward threat/vulnerability management (VTM) slowly emerge and recognize as single unified process (threat assessment -> vulnerability assessment -> risk analysis) to streamline the whole process for address enterprise threat/vulnerability and risk analysis / security risk management (SRM).
The future of vulnerability management suite, depend on the end user requirement. For complex enterprise requirement, will include the above unified vulnerability management suite aspect/functional module or option in the package bundled.
As you can see for the market product shift underway, if you want to make any major decision for the short term, for sure, license subscription (LS) is the way to go, since it is pointless to own “outdated product” and pay significant investment upfront that you may or may not really found it relevant to the changed market at all.
E-SPIN Group being vulnerability management, application security and penetration testing product and solution provider for over 13 years in the market. E-SPIN will continue to be active in the business domain and helping customer to make right investment that yield return of investment.
Feel free to contact our E-SPIN solution consultant for any project or operation requirements.

Read Full Post »

This video is about Trustwave Web Application Firewall by E-SPIN

Trustwave Web Application Firewall

For those who can not join us for the session, please see the summary and highlight clip for the event.

https://www.youtube.com/edit?o=U&video_id=ar5C2Efuo0I

E-SPIN recently run a Trustwave Web Application Firewall what’s new session cover what new for new user and existing users.

For further information, please contact us or visit to our website on http://www.e-spincorp.com

Read Full Post »

E-SPIN is please to bring over highly demand market leading Veracode Application Security Product Portfolio Licensing Subscription cross over to eLearn product E-SPIN represented in region we do business effective from 1st Jun to 30 Sep 2017.

https://goo.gl/JEHYPL

E-SPIN_Promotion_Veracode_AppSec_Product_Subscription_Free_eLearn

Read Full Post »

This video is about event highlight and summary of Partner Synergy 2017 Application Security Event by E-SPIN

E-SPIN Partner Synergy 2017

For those who can not join us for the session, please see the summary and highlight clip for the event.

E-SPIN recently run a Partner Synergy 2017  what’s new session cover what new for new user and existing users.

For further information, please contact us or visit to our website on http://www.e-spincorp.com

Read Full Post »

espincorp-learning

E-SPIN partner with Security Innovation to provide access to hundred over global leading computer based training (CBT) that cover Security Awareness, Application Security In Depth, and Hackathon online and network hacking simulation training courses that is relevant and quality.

We are share the same goal – to provide easy access and to upgrade employee skills, knowledge, abilities and other competencies (SKAO) thru the computer based training (CBT) manner. To train a workforce that will be successful today and lead company to tomorrow. That is the challenges for most of the organisations. Computer based training provide a high efficient, effective and flexible way to help organisation achieve organisational learning and development.

E-SPIN joined forces with Security Innovation to accomplish this goal. Through a unique partnership, E-SPIN provides those high demanded and relevant curriculum and expanded course offerings in the package bundled with the various application security tools across the Asia Pacific region. End customer will have the chance to acquired global industry standard application security tool and access to highly relevant and quality training courses in package bundled.

For more detail for the cross over bundled, please contact E-SPIN officer securityinnovation@e-spincorp.com for the detail.

Read Full Post »

Older Posts »