We discuss the importance of data protection in HR, and how a hybrid continuous assessment approach has helped secure their business critical apps and maintain ISO certification standards at scale.
2. Full stack cybersecurity assessment
Helping customers improve security posture since 2001
Over 2,000 customers in all regions of the world
Really good at breaking technology
2
4. 4
HR & Security go hand-in-hand
• Security automation to
protect fast growing Saas business
• Protecting customer data is #1
priority
• ISO certification and prevent data
leakage
• Reduce security stress on
resources & budget
• Release with speed and
confidence with secure SDLC
12. 12
SWAT for Business-Critical Applications
• Delivery through portal
• Findings published once
reviewed
• Zero false positives
• Generate reports on demand
• Liaise with testers
• Integrate into SDLC through
RestAPI
• Crest approved methodology
• Managed by O24
• Daily assessment
• DAST scanning
• Change detection
• Regular manual assessment
• Web application assessment
• Quarterly
• Findings
• Manual review of ALL findings
13. Brief service description
SWAT offers a combination of a state-
of-art web application scanning
technology and Security Consultants to
provide an accurate and continuous
web application assessments for a 12-
month period.
13
What it is not
• A network and host layer
penetration test. Instead it focuses
on up to four manual tests of the
web application.
• ‘A scanner’. We provide zero false-
positives, something that is not
feasible with just a scanner.
SWAT at a glance
Day <1
Scoping
Day 1-30
Onboarding, review & manual test
Day 30-365
Daily monitoring
Scoping Submit a SWAT scoping request via either the Appsec UI or through the Sales representative. On receipt the request is reviewed by the AppSec team. Once approved
the team returns a final scoping document including the number of applications/instances within two days.
Daily monitoring After discovery, findings are verified by the AppSec team and published within 5-7 days of initial discovery. With
a further 3 manual tests per year. Questions asked, and verification tests requested through the portal are answered within 5
business days.
Onboarding, review & manual testing On license start date, each application is setup in the portal, initial scanning is setup, and the first manual test is scheduled to
commence within the first 30 days. After 30 days, continuous assessments are performed including: Daily scanning and manual review of changes for any new risks.
Service lifecycle
What it is
• Continuous security monitoring of
web applications.
• Guaranteed zero false positives.
• A fully managed service perfect for
applications that undergo many
development changes/releases or
applications that are business
critical.
14. Takeaways
• Application security hygiene – shift left for continuous assessment & secure
SDLC
• Education – understand your attack surface to protect customer data &
prove compliance
• Risk assessment – do your homework when stepping into new growth
areas
• Stay current – strive to understand latest attacker and industry trends
14
How the needs of HR personnel and HR management has evolved (from offline spreadsheets to secure online platform)
Brief intro to Cezanne HR and John’s role
How transformaion in HR management has facilited the growth of the Cezanne HR in the mid-tier market globally
Key challenges with security within HR sector (Single sign on and authentication)
How Cezanne HR customer demands have changed since introduction of GDPR and importance of data protection
Creating a security lead culture and ensuring security is a top priority throughout Cezanne HR and across different functions
How the increase in customer demands has meant the need to grow the product and roadmap to include new features i.e to support new business and retention rates for Cezanne HR (new training modules etc) without impacting security
How Cezanne HR came to the decison to move away from manual testing to automated contiuous assessment and how our relationship has developed
How John’s team are measured and how SWAT helps them achieve their goals as a team – continuous scanning means we can focus on the top priorities
ISO271001 certification and what it means for the business and Cezanne clients (we can speak from our perspective here as a Cezanne customer)
Improved speed to market as app is tested every time there is a new update
Economics of pen testing from business and security sense (Simon) how it helps achieve/ prove compliance more easily
More efficient development to production cycle – John knows the app is secure before its released
Access to Swat team and reporting
How application security slots into John’s strategy and workflow and how Outpost24 enables Cezanne to deliver new versions to market on time and in budget
How security testing can boost sales process and RFP’s
John’s view of being a security professional and how having awareness of commercial success is important for his role
Using continuous assessment for quality assurance testing before product is ready to go to market (speed to market and supporting SDLC)
AWS and Cloud and how everything fits together