Clever Case Study

Tightening Clever's application security on a budget

Clever is a company composed of former educators, teachers, and technology professionals who are improving education using technology. Clever powers technology in the classroom. The company provides software applications with a platform that easily connects to schools and give school districts a central location to manage all of their learning resources. More than 50% of U.S. K-12 schools already use Clever, with more joining the network everyday. The end goal of Clever's application suite is to give teachers more time to focus on teaching and to keep information flowing through the district.

Clever has a reputation for setting the best practices in privacy, security, and data control to help districts and applications keep student data safe. They reached out to Security Compass for additional assistance with their internal security audit.

Challenge: Assert the security of Clever's solution and uncover any previously unknown vulnerabilities

Clever is committed to performing an annual security audit, which is something they have made clear to their customers. Alex Smolen is the Security Lead at Clever and manages the security and infrastructure teams. When explaining why he reached out to Security Compass, Alex said,

"In addition to wanting a letter of attestation and being able to say that we underwent our annual security audit, we wanted to understand if there were any vulnerabilities in our applications that hadn't been discovered through our other security efforts."

Clever uses a number of ongoing internal processes to ensure that their solution is as free from vulnerabilities as possible. This includes numerous manual and automated tests, but they also understand the value of having additional professionals looking for issues outside their normal procedures. Alex further explained, "We have a variety of practices in place to prevent vulnerabilities from being present in our system. Those include internal processes and technologies, as well as using external reporters. We have an active bug bounty program which has helped us identify and fix some vulnerabilities. I think that with security, you're always going to be in a position where additional effort might yield additional results, and so, for us, I think it is important to have an annual snapshot where we understand that there will be a certain level of rigor applied to our entire portfolio application. That's something where it gives us that additional assurance beyond what a bug bounty program or even our own internal efforts can provide."

The company chooses different security firms each year to help them get as many eyes as possible on their solution and to expose as many issues as possible. Alex had been acquainted with one of Security Compass's employees in the past. Alex was informed about the type of work Security Compass did and was interested in learning more, so he reached out to them as one of the firms he requested a proposal from.

Alex said, "Generally, my selection process is to source my network to see which security firms have the best reputation or where people can vouch for them, and then I send out a proposed statement of work that talks about the scope of the assessment that we're looking for. Then, I review the different proposals factoring in various aspects, including the methodology, the information about the organization background, and also the price. Based on those results, we select an assessment firm and we have taken on the practice of rotating our assessment firm annually to ensure that we get a different look." He added,

"Security Compass seemed to have a really good balance of a rigorous methodology, experience working with similar clients, and also a price point that was competitive with other firms that we worked with in the past."

Solution: Coordinate, communicate, and assign an expert team to the project

Clever contacted Security Compass with a tight deadline during Q4. Staffing a project on short notice in this time frame is a challenging task, but one that Security Compass was ready for and used to handling. Security Compass tentatively booked their resources before the project was confirmed. This way they would be able to hit the ground running in spite of the tight time frame as soon as the proposal was accepted by the client. Once the project was confirmed to go ahead, the Security Compass consultants coordinated an internal kickoff to inform the team of the challenge that was lying ahead for them. The knowledge transfer was completed quickly and the team followed their standard project execution procedure from there.

Clever is located in San Francisco, where Security Compass has consultants available to deploy. They sent a consultant on-site to gather all information and sped up the process of getting the entire project team up to speed so that the application assessments could commence shortly. Security Compass initially allocated more effort to the project than Clever's budget would allow for, so the consultants remained flexible in their approach to ensure that the client's budget was not exceeded. Security Compass made the most of their constraints by taking time early in the project to identify and understand Clever's top priorities so they could focus the most time on the most important aspects and ensure that Clever was getting the most out of their services.

Alex was pleased to see that "Security Compass tried to understand Clever as a business and what the product actually did to tailor suggestions and recommendations so they were more aligned with our business and our risk profile."

The Security Compass consultants integrated well with the team at Clever which made communications with the client more efficient. This was helpful when the consultants reported on any new issues that were found and were able to verify the fixes that came shortly after.

"Security Compass has been able to communicate with us effectively when they've identified issues," Alex said. "They were able to describe the impact of those issues, how to reproduce them, and how to remediate them in a way that was easy for us to understand. The communication was consistent, and that helped us move through the process quickly."

Benefits: New vulnerabilities brought to light and resolved quickly

The team assigned to the project performed vulnerability assessments on several of Clever's applications looking for vulnerabilities that may have been undetected through other means. When new issues were found, the consultants would submit a report, including steps to reproduce the issue, an estimate of the level of risk presented by it using Clever's internal standards, and recommended strategies to remediate the issue effectively.

Clever received the letter of attestation they were looking for from Security Compass which they can use to instill trust in their customers that they have undergone a thorough security assessment. They were able to quickly remediate the issues that were discovered. Security Compass kept in touch with Clever even after the initial project ended to test their fixes and provided updated reports on the related issues. Security Compass did not charge the client any extra fees for these final tests in order to build goodwill with Clever and to ensure that the client was fully satisfied at the conclusion of the project.

When asked about Security Compass's overall performance, Alex said that the consultants were "professional, communicative, and insightful."

If you are interested in similar assistance for a security assessment of your own software applications, we would love to help. Contact us at info@securitycompass.com for additional information, or visithttps://www.securitycompass.com/advisory/ to see types of consulting services we offer.

CLIENT: Clever TOOL USED: Security Compass icon for advisory Advisory

How can we help?