SE Labs

Posts tagged 'startup'

SE Labs launches new security testing site

selabs-uk_v2-6297840

The new website reflects the changes in the security industry over the last few years. We’ve listened hard to your feedback and watched as the industry’s needs have changed.

Clients, both security vendors and their customers, need increasingly customised analysis of products and their effectiveness. Which is the best? And what does ‘best’ really mean?

Read more >

SE Labs vs. COVID-19

The current global health crisis will inevitably affect everyone’s productivity in the coming months. We, at SE Labs, are committed to working through the challenges that face us all but we want to be realistic about how effective we are going to be at delivering our testing programmes, the feedback processes and report publications over the next six months.

We will not compromise on the quality of the work, please be assured of that. However, we face imminent and major disruption and it is unlikely that we will be able to publish reports at our usual and reliable frequency.

Read more >

Securing a business from scratch

Building and launching a start-up company is a challenge in itself. Securing it when it is new, young and vulnerable is something else. It’s very necessary but also hard if you don’t know what you’re doing. And can you afford a consultant in the early days?

If your new business is IT-based and focused on security then you’re in a stronger position than, say, an organic make-up business or an ethical coffee brand.

Read more >

SE Labs Annual Report 2019

SE Labs has been working at the core of the cyber security industry since its launch in 2016. We work with all of the major developers of IT security products as well as their main customers and even investors looking to increase their chances when betting on emerging technologies.

Read more >

Review: ImmuniWeb On-Demand Application Security Testing

hacked-1764593

What do a start-up, small business and enterprise have in common?

They all have one or more websites.

That’s not a very humorous punchline, but the security implications of managing business websites aren’t funny either.

In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.

A website is a business’ public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company’s standing.

How do websites get hacked? Sometimes the attackers will focus on compromising the site’s administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.

Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server’s operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.

Will AI save our sites?
Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security.
The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.
Wizard setup
wizard-4625603
Setting up the initial test was a very simple task. Enter a few relevant details into  ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later a report is made available and you have around three months to download it before it is deleted automatically. You will receive warnings about the impending deletion.
The report is detailed. The first pages give an overview of the risk level based on how many vulnerabilities have been found, certain administration configuration issues that might exist and even an indication of other websites that might be impersonating yours.
Who is hosting?
report-4813405
The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH.
However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.
In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues.
While we could verify the changes ourselves (after all, we test security systems ourselves) we understand that for most businesses a second test would be warranted. We ran a second test for this review and were pleased to see that the previous issues had indeed been fixed.
How much?
This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster ‘Express’ test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.
Total Cost of Reassurance
But while your site might not change, knowledge about security vulnerabilities does. New vulnerabilities are being discovered at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which was updated accordingly.
By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.
Monitoring the weak link
Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that can and should be assessed regularly. ImmuniWeb provides just such a service but because people are involved, as well as machine learning-equipped systems, there is a significant cost to the system, as well as an advantage over free website scanning sites and tools.
While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

Building a security lab (literally)

I’ve seen a few ‘how to build your own security testing lab’ documents in the past, but many have struck me as being ‘what I would do’ rather than ‘what I did’.

Having gone through the process myself at least three times over the last 15 years I thought some people might be interested in seeing a series of photos taken while we were literally building SE Labs from scratch.

12bboxes-5434722First things first. You can never have enough boxes. And never throw them away, because they’ll come in handy later – such as when you move from your temporary space into the permanent office.

Why not start out and build the lab where you mean to end up? Because having a commercial office space ‘fitted out’ takes a lot longer than you might imagine. Choosing the right time of year can help speed this up.

Start-up tip #1: Don’t plan on anything happening fast over the Thanksgiving/ Christmas/ New Year period. Everyone except you will be on a go-slow/ stop. It will make you angry.

22bservers-2232148Ideally you would have all of your expensive servers locked away somewhere safe from thieves, vandals and pretty much anyone carrying too many cups of coffee.

Without that luxury you might have to set up on a desk, near the door, and plaster the windows with paper so people can’t see your new company’s crown jewels sitting vulnerably exposed in an insecure office.

32bworking-5073504When you work from a serviced office you have a choice: rely on their networking infrastructure or create your own. We created our own because sending exploits over someone else’s network is not very friendly and there might be some liability issues too.

One problem with creating your own network in a serviced office is that you can’t really run your networking cables under the floor.

This can mean using cardboard, gaffa tape and cable ties to construct a sort-of over-floor networking setup that is fractionally less hazardous than simply having cables looping all over the floor.

At this stage we were at least able to start work, although we quickly discovered the limitation of cheap network switches and, thanks to the speed of Amazon Prime, managed to upgrade without too much disruption.

42bearly2bdesign-7242406While the testers were busy attacking systems and logging how the security products handled these threats, we also had to start work designing the award logos that we would eventually hand out to any vendors who did a great job.

Here are the early sketches, made in the Easy Hotel adjacent to the developing office. As you will see from our reports, the design we ended up with was the round badge. Did we make the right decision?

42bearly2bdesign2b2-2156384
While all of this was going on, the main office was under construction. You can see the progress below, as the main open-plan office, the server room and our corner office take shape.

Why is there no furniture, even right at the end? Because there was a problem with the delivery and our desks were stuck on a boat somewhere near Europe, while we worked from temporary, bolted-together desks. At least we had chairs…

52bshell2boffice-9428961
One large, empty shell…
62bno2bserver2broom-7992335
The area to the right will become the server room.

72bserver2broom-7726157
The new server room is visible through the window on the right.
82bcorner2boffice-7086269
The corner office, full of junk.
92bcorner2boffice2bempty-8201836
A tidy corner office.

102boffice2bempty-4198428
The open-plan area starts to take shape.
112bmoving2bin-3169822
We moved into the new office with zero days to spare.
122bsignage-4909866
Our name is on the door (sort of).

132bexternal-3721324
After a busy night we head to the pub. This is now our new home.
(The building in the photo. Not the pub.)
142bcorner2boffice2bfull2bagain-3057827
The corner office is now full of junk again.
152bno2bfurniture-9301066
We have chairs but little else.

162bserver2broom2bfilling2bup-5292186
The server room starts to take shape.
172bcorner2boffice2bpacked-1388116
A working office space!
182boperating2bserver2broom-4984412
All systems go. Neatly.
202bmessy2bwiring-1314672
Well, neat on the face of it…
192btest2bsystems-9898214
We use physical systems for most tests. So we need a lot of them.
What became of the cardboard boxes? Rumour has it that after the move one of the guys took them all home in a van and built a massive fort for his children.

SE Labs: Next-Generation Security Testing

2016-04-112b17-23-59-8748937

I am proud to announce the first public reports from SE Labs, a new security testing company that tests a whole range of security products, from the sort of anti-malware program you run on your home PC to complex combinations of enterprise endpoint agents and appliances.

The new website will be live in the next day or so, after we’ve ironed out what I hope will be the last few wrinkles. (Update: 12/05/2016 – the website is live now).

Since January 2016 we’ve been testing endpoint security products by exposing them to live web threats and targeted attacks. The results are very interesting and will probably cause some controversy.

Targeted attack testing?

How is it possible to test using targeted attacks? We’ll go into detail over the coming weeks on this blog but for now I’ll say that the tests are run using threats found and used against real targets, and include realistic variations that simulate closely how attackers with a range of resources behave.

If you can make it to the Virus Bulletin conference in Denver this year you can hear me talk about advanced ‘next-gen’ testing and challenge me in person : )

Startup challenges

We faced significant challenges in bringing the new lab up and running over a relatively short period of time. This involved using serviced offices with fairly restrictive internet connections, cheap hardware that failed fast (thanks to Amazon prime for saving us on many, many occasions) and expensive hardware that also failed badly (‘thanks’ to Lenovo – avoid ThinkCentre desktops at all costs if you are relying on them to power your new startup! More on this sorry episode later…)

2016-04-112b17-23-35-2065519In addition to writing about the threats we see on the internet; the way we handle them; and (most importantly) the way that security products protect against them, I’ll also be contributing some advice to those considering starting up their own businesses.

I have a catalogue of “what not to do” tips to share and maybe one or two more positive pieces of advice!

The next step

Please check out our new website (SELabs.uk) and follow us on Twitter (@SELabsUK). We also have email newsletters for the old-skool.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press