Securify

The leading preventive security specialist for innovators by our curious bright minds

Securify helps organizations identify, remedy and prevent technical security risks through pen testing, red teaming assignments and security code reviews. The focus is on effective protection against the biggest business risks. Based on security roadmaps, code, (mobile) applications, infrastructure and the organization as a whole are optimally secured. Many companies - from start-ups to large banks - have been relying on Securify for years to properly secure their systems and (mobile) applications. With hundreds of penetration tests and security code reviews per year, the Securify team helps to properly secure the data of millions of Dutch people.
In addition, Securify provides an innovative vision on application security of (business) critical systems. The unique approach of Securify Inline enables development teams to deliver continuous, demonstrable and more secure software at an agile speed where security does not slow down. For more information, visit www.securify.nl.


Penetration testing (ethical hacking)
A pentest (white-/grey-/black-box) allows a customer to find out what vulnerabilities and security shortcomings exist in an environment, and to what extent the platform is safe from outside hacking attempts. White-box penetration tests (including source code reviews) are the core of Securify’s activities. Pentesting provides a clear understanding of the general security level of an environment and how the security level holds compared to that of similar environments tested by Securify.
In short, the result of a penetration test will give your organization a clear insight in security issues and general points of attention related to security and in what way the encountered risks can be managed, solved, or mitigated.
The management summary will contain a value judgment about the security level of your environment. Technical risks will be translated in such a way they will also be clear to readers without a technical background.

Code Reviews
The security quality of an application heavily depends on the security quality of its source code. Code is the DNA of your applications and security starts right there. Security code reviews is one of our core specializations. It is the most accurate and effective means to identify security issues and points for improvement in the final or early stages of a project. Approximately 80% of the projects we run are white-box security assessment which include manual security code reviews.
Many people on our team have a strong software development background and are fully specialized in performing security code reviews and supporting the development team to build highly secure products. Securify understands the coding mindset and is comfortable around software developers. We know how to interact with them in a constructive way to get things done.
Over the years we reviewed millions of lines of code and helped to secure thousands of mission critical applications. It is only natural we have encountered some of the weirdest bugs and flaws one can imagine. Luckily Securify also had the privilege of having seen tons of beautiful, flawless code. Armed with this experience we recognize flaws fast and know how to fix and prevent them efficiently.
When combined with penetration testing, a customer can rest assured that no bit or byte will be left untouched, and no unexpected vulnerabilities will remain lurking in the depths of an application.
A security code review only requires a skilled code reviewer (and we have a steady supply of testers up to that task!) and a good Integrated Development Environment. Within Securify we use the JetBrains All Products pack, which contains several IDEs with nifty functions to help the reviewer find security errors fast.

Inline – Continuous Security Testing
Securify Inline is designed to help development organizations to deliver demonstrably secure products at Agile speed. This is achieved by introducing continuous security testing, security support, a short security feedback loop, and continuous awareness of the Agile development workflow. Inline is built on the foundation of years of close collaboration with Agile development teams of many organizations that build mission critical products with continuous and demanding security needs.
In short, our expert team will uninterruptedly verify the security quality of all the things you build. Moreover, we provide your team with full-time security support, feedback, and targeted security awareness (knowledge transfer). Inline is offered as an all-in, managed Agile security service that supersedes out-of-band (yearly) penetration testing and installs a continuous/premium security verification and improvement process in your development organization.
Findings will be reported directly into tools such as Jira and the security level (e.g., ASVS), test scope, threat profile, and all testing activities will be organized in your organization's Inline dashboard.
The Inline security testing process will be extensively documented so internal and external stakeholders can be informed proactively on the security level of your software. This also provides a driver for (cyber security) marketing efforts to stress your efforts to keep software safe!

Scenario-based penetration testing
Scenario-based penetration testing is a security assessment performed against an organization using different scenarios. Each scenario will evaluate a different security aspect of the organization. It provides an indication on how resilient and/or mature the organization is to defend against a particular threat. Ultimately, an assessment is performed to find security discrepancies in a target organization using a pre-defined agreed upon scope.
A scenario-based penetration test is not like traditional penetration tests. Traditional penetration tests usually focus on discovering vulnerabilities using a very limited scope, covering only a narrow aspect of the organization’s IT landscape. Scenario-based penetration tests have a scope that is defined per scenario and have different goals, namely: how resilient and/or mature is the organization to defend against certain threats.
A scenario-based pentest is also not a Red Team. A Red Team engagement usually consists of emulating a certain threat actor by performing a cyber-attack on the whole organization following the tactics and methodologies of selected threat actor(s). A scenario based penetration test focuses on the execution of a specific scenario using pre-defined steps and in a more efficient and time-boxed manner.

Red Teaming
Red Teaming is an offensive research method which can be used to measure the maturity and awareness of your organization regarding cyber security resilience (digitally, socially, and physically).
Our Securify RED team is specialized in setting up and executing realistic attacks with the goal of assessing the detect and respond capabilities of the Blue Team. All successful break-ins will be demonstrated and can be applied to strengthen and train your organization within the main fields that were identified during the Red Teaming engagement.
Securify RED is always busy researching new tooling, techniques and attack methods that will be subsequently used during Red Teaming engagements, mainly within larger Dutch financial institutions.

Purple Teaming
Purple Teaming operates on the grounds where Red Teaming and Blue Teaming execute their operations independently. Traditionally, Red and Blue Teams tend to go about their business in a vacuum, oftentimes not sharing their modus operandi. As a result, feedback is only shared marginally, if at all. This might prevent essential learnings arising from Red and Blue Teaming operations to be implemented on organization-level to increase baseline security.
This is where Purple Teaming steps in. One of its targets is to integrate the results of Red and Blue Teaming operations, which has several distinct advantages:

  • The entire organization can increase its level of security maturity.
  • Sharing the results of attack or defense operations allow for better detection or prevention of attacks, which in turn allows for more advanced attacks, thereby making it increasingly difficult for a real attacker to compromise the organization.
  • The experience a Blue Team has with social engineering for example can help the Red Team to stage smarter social engineering campaigns, which will help the organization to become more aware of these kinds of attacks.
  • The findings from the Red Team can be used to guide the Blue Team (e.g., to tune SIEM systems).

© iSourcing Hub | Outsourcing Hub B.V.