Our team provides technical assessments to ensure the build of solution is completed as expected and security controls are implemented properly. In a way, we are a digital building inspector focused on security.
We often find that expectations may not be in alignment with the implementations. This can happen for several reasons such as a misunderstanding, a work around to a technical roadblock, or purely because the plan was not laid out properly or followed properly by the implementors.
Additionally, not all teams have the expertise or resources to assess all potential risks a solution might face. They design with specific criteria or threats in mind while potentially missing others. A great example is redundant data centers for Business Continuity and Disaster Recovery. These may perform well against physical attacks or natural disasters but can quickly fall short when there is a logical issue or failure. Consider a ransomware worm scenario, would a completely redundant datacenter failover protect against this? Unless there are traffic restrictions between the two, or different exposures to an infected resource, the answer may be no.
Reviewing organizational assets discovered during a vulnerability scan will not reveal the full picture of risk an organization faces. To do this, multiple levels of inspection are needed. We address this gap through discovery, interview, and validation as an option of our Healthcheck package or as a stand-alone service. The results are often revealing to the teams responsible for risk management and set them up for stronger implementations moving forward.