AdvisoryRetailClient Story

Managed Penetration Testing Across Hundreds of Applications Company-Wide

A Fortune 100 retail, media and entertainment conglomerate turned to Security Compass for assistance to perform company-wide, managed penetration testing across hundreds of applications.
Read our other Retail Client Stories.

Retail, Entertainment

Practice Areas
  • Security Program Management and Execution
  • Application Risk Profiling
  • Web Application Security Assessment
  • Mobile Application Security Assessment
  • Desktop Application Security Assessment

Our Client’s Challenge:

  • Our Client had a desire to improve their application security posture enterprise-wide across global business lines and application groups.
  • They did not have a standardized verification methodology for application testing. Ownership of security was dispersed across the organization for hundreds of customer-facing applications.
  • As a single application involved a variety of stakeholders, the logistics to prepare for a security assessment, such as project management and obtaining buy-in from key stakeholders, was a big challenge that was compounded by having a small internal security team.
  • Our Client sought Security Compass’s expertise to help develop a testing framework that could allow for a consistent, methodological approach to security testing and reduce risk across the entire enterprise application profile.
  • They were generally unsure of how many applications and systems were deployed across the organization and needed to get a sense for the level of risk exposure.

Our Approach:

  • Security Compass engaged with key stakeholders and performed a thorough review of our Client’s business units and strategic objectives. This developed into a partnership model with our Client’s security team.
  • Security Compass would assist with technical expertise and delivery, allowing the Client to focus on vulnerability management and strategic direction. Our partnership achieved acceptance with key stakeholders as Security Compass worked side-by-side as part of our Client’s security assessment team.
  • Security Compass supported logistical and project management efforts by setting up timelines and communicating deliverable dates. For each application, we executed penetration testing in coordination with our Client’s application teams, helping corporate security stay focused on overall risk management activities.
  • As our Client did not have a full risk profile of applications in their organization, Security Compass first performed surface scans of external-facing applications to identify and then prioritize the highest risk applications.
  • Having an understanding of the external application profile, the program was expanded to internal applications. Focused penetration tests were then performed against the highest risk applications, slowly building a risk profile across known assets and allowing our Client’s risk management and remediation team to take over.

The Result:

  • Security Compass provided vulnerability focused, risk profiles of all externally identified web applications. This helped our Client build a manageable external application profile to help track future application risks and actionable vulnerability data to reduce the immediate risks facing the organization.
  • Through a close working relationship and partnership approach, Security Compass helped our Client raise awareness amongst internal business teams to communicate the importance of this application security effort. We were able to help establish a bridge between the corporate security team with the application teams.
  • Our Client was able to understand application risk profiles and develop relationships with key application stakeholders. As a result of partnering with Security Compass, they became armed with a robust framework for risk profiling and penetration testing which could be used on their own and built upon in the future.

Our Advisory services team has more than a decade of experience focused on Application Security. We take a flexible approach to your strategic security problems.

Whether you are a global enterprise looking for advice on security strategy and governance, a major financial seeking support on regulatory compliance and penetration testing activities, or a startup looking for high quality assessments to give customers assurance for your business, we're here for you.

Our credentialed professionals are experts in how to break applications and fix code, who take pride in helping you succeed in your Secure SDLC and Secure DevOps programs. Contact us today to learn how we can help solve your organization’s application security challenges.