Think Like An Atacker, Act Accordingly
Baseline Your Security Posture
Think Like an Attacker, Act like an Auditor
You Can't Secure What You Can't See
As organization embrace SaaS and public cloud computing, they are expanding their attack surfaces exponentially.
However, Internal Audit, Security, DevOps Network, and AppDev teams often struggle to consistently understand and implement proper security within an industry framework.
The following challenges, among many, are faced by most client teams when managing an ongoing assessment culture
Spreadsheet Hell
Preparing for quarterly and annual audits is never fun, much less so when trying to track your compliance activities on spreadsheets
Dynamic Environments
Gone are the days when binaries were deployed on bare metal servers. Now deployments via CI/CD make compliance tracking infinitely more difficult to track elements of the stack including:
​
-
Containers
-
Elastic Load Balancers
-
Multi-Cloud
-
CDN
-
Serverless
-
APIs
Dynamic Teams
Teams are now global and dynamic. Managing activities and progress across these diverse teams is more critical than ever. More often than not, critical, "tribal" knowledge is walking out the door
Ovation Compliance Teams Seamlessly Assess Organizations, Processes, Controls, Stacks and Partners in concert with NIST, ISO, PCI, HIPAA and other frameworks
Dashboard Reporting:
Utilize our HeatMaps to identify areas requiring follow-up
Ovation Delivers Turnkey Security Assessments
AssessmentFactories:
Full turnkey programs used to manage the assessment of an enterprise, business unit or business process (and their underlying policies, organizations, processes and systems).
Leveraging AuditRun, our SaaS tool, we can quickly assess the maturity level of your program and identify opportunities for improvement.
We assess qualitatively against the Industry-leading frameworks, beginning with a baseline and assist client develop short and long-term program road-maps for use with regulators and auditors as well as for budget planning.
​
Our Factories include:
-
Full or fractional assessment teams with AuditRun built-in
-
Integrated DocGeneration Capabilities
-
Targeted controls review, limiting time and cost for annual testing
Vulnerability Factories
Full turnkey programs used to manage the creation of a vulnerability
program or targeted vunlberability assessements for in-house and
3rd party infrastructure, apps and API's:
-
One-time vulnerability assessments
-
Ongoing vulnerability programs for on-prem and Cloud
-
Ongoing vulnerability programs included with our SOC
-
Patch management via DevOps
​
Our one-time vulnerability assessment and penetration testing methodology is based on tailored implementation of testing standards as outlined in Penetration Testing Execution Standard (PTES), NIST800-115 “Technical Guide to Information Security Testing and Assessment”, and OWASP (Open Web Application Security Project). Ovation’s approach is comprised of four (4) main phases which include:
-
Planning,
-
Analyze/Assess,
-
Attack, and
-
Reporting
.
Our Factories include:
-
Full or fractional vulnerability assessment teams with AuditRun built-in
-
Integrated DocGeneration Capabilities
-
Targeted vulnerability review, limiting time and cost for annual testing
-
Integrated partner offerings for ongoing, "real-time" compliance monitoring
PenTestFactories:
Full turnkey programs used to manage the development and execution of
internal and external PenTests for in-house and cloud apps*
​
Our model for penetration focuses on the “3Ps” of testing. The goal of penetration testing is to:
-
Pillage – determine if any sensitive information can be obtained in the event an attacker exploited one of the weaknesses identified.
-
Persistence – gain a long term foothold on the compromised system.
-
Pivoting – determine what systems are accessible from the compromised system. Systems previously identified as in scope will be tested through the compromised system.
.
Our Factories include:
-
Full or fractional PenTest teams with AuditRun built-in
-
Integrated DocGeneration Capabilities
-
Targeted PenTests, limiting time and cost for annual testing
​
Active PenTests can be included in our SOC offering. Contact us for details