This is the first in series of articles about Laboratory. Laboratory or as we call Labs is the project allows to get a lot of openness. It uncover and allows to workout a lot of topics were waiting for their time.
What was the problem?
There are a lot of issues and topics were at the beginning. We've focused on the main one:
Create an ideal process for PenTest.
We get the idea due to the next few reasons: a lot of different approaches to do a pentest; couple of different standards which are not ideal as defined on practice; mobile pentest require slightly different approach and focus.
What is the best place to try your hypothesis out?
A laboratory for me is always about experiments and inventions. The Lab I like to be in is all about information security, cyber security and even economical security.
Since 2018 there were done tremendous amount of hypothesis and experiments where no one was hurt. I really proud of our ByteCode Security Lab.
Where the idea of the Lab came from?
Security itself and defensive mindset isn’t a skill can be obtained once and then put on a shelf for the next opportunity. The skill should always be sharped and ready to apply.
We’ve combine and upgrade all the approaches we used before for a penetration testing to end up with the solution allowing us to give more information, transparency, and understanding during company assessment with different options available on the way.
Does the process is really important?
Products are always about time and go to market opportunities. Your product as baby you’ve been working for months and where you want security become your strength but not an obstacle on the way to market.
The main goal for the experiment was to improve an existing penetration testing approach and make it more product friendly as well as to take the most valuable ideas and apply them on early stage of a product development.
How to get excellence?
Standards and frameworks we love and widely use (like OWASP and NIST) are a good basis to start a conversation. They contain a lot of general information which allows to cover wide variety of topics. But any company unique and require fine tuning of the frameworks and unique approach to fit all the product and company needs.
In the most general view it’s a discovery for the company to identify all the areas, threats and vulnerabilities; collect all the existing and potential risks and opportunities; apply it to business objectives and from the combination design unique strategy and organise priorities to get an excellent result in a short lead time.
Why should it bother you?
Each next step is fed from the discovery and can fairly answer on the question WHY:
- WHY the step is in scope;
- WHY it support the business objectives;
- WHY it is essential on the phase.
What was the reason?
Combining all of our business use cases up together uncover that applying only one standard or framework nearly impossible to get the result which is higher than average.
You can’t achieve an excellence with something standard it only gives you the bare minimum.
Stick to bare minimum in security is a crime by default. You should always looking for a partner who tirelessly strive for excellence. And it makes me tireless in seeking the approach which will give that opportunity.
Why does Lab matter?
The combination of sharp minds, enormous experience and desire to discovery allows the Lab define a formula and convert it into workflow which starts from wide the product area and narrow focus on crucial aspects.
And what was the result?
Chain Workflow became the approach which organically unite the best practices from different standards and framework to identify on the go the best solutions working for the uniqueness of the product.
It allows to navigate to defending the most important in the product: clients, assets and reputation.
What is the next?
... go ahead
Comments
Post a Comment