Securing agile web app environments
The scope of this engagement consisted of delivering continuous vulnerability management of 100+web applications deployed by a online gaming/sportsbookclient for their UK&I, Italian and Australian markets.
- The client company required a continuous assessment of its entire global Internet facing cyber-estate in orderto detect current security issues and detect new issues into the future.
- The client required an authenticated assessment (edgescan logging into each application) to simulate anattacker with valid credentials on both desktop and mobile web applications.
- The client required a false positive free list of actionable findings which they could simply assign and fix.
- They required the assessment to continue to assess the sites so they could track progress and mitigation ofdiscovered security risks.
- The client required access to the edgescan API and Jira plugins in order to access the edgescan data directly,system-to-system.
- The client required retest on demand capability where required and also alerting of any new high risk issuesdiscovered.
The onboarding phase consisted of validating each site and server for stability and criticality such that thecontinuous assessment could provide coverage and depth of testing as expected. Once an application isonboarded technical assessment can commence and the application is subject to technical security assessment on an ongoing basis.
Edgescan provided continuous authenticated assessment on an ongoing basis for the 100+web applications under management. All of the vulnerabilities discovered are manually validated helping our client focus on issues which cause a real risk. Assessments occurred on a scheduled and an ad-hoc basis as required by the client. Theassessment included the mobile sites offered by the client.
Within the first 7 days edgescan discovered, validated and published 55 high risk issues on the clients edgescanportal. The client proceeded to fix the discovered issues over the coming months and the fixes were verified and closed by edgescan. The client could display the improvement of its security posture over time. The client could request an assessment when required to retest for vulnerabilities and maintain a secure posture.