From the Director’s Desk

Our main service line is pentesting. Our requests are coming from organisations that have concerns that fall into three broad categories;

• Those who have a compliance activity they need to tick off from a task list.
• Those who undertake a pentest once or twice yearly as a regular check.
• Those who believe they might be getting hacked and they want to know how bad their risk situation is.

While each of these reasons is perfectly valid for undertaking a pentest, it’s not the most thorough approach to proactive cybersecurity risk assessment and mitigation. Particularly for companies that do a yearly pentest, most likely they are working on three to four-week development sprints. It’s likely that every 3 months on a front-end publicly accessible service, there are changes being made that can impact the security profile enough to create exploits in common attack vectors. You won’t catch these issues with a testing activity that takes place one week out of 52.

Clearly, the answer is higher frequency monitoring that is looking for changes in your public-facing assets. This is easily done for the largest of companies that have enormous budgets to spend on the biggest enterprise tools. But what do you do if your company falls into that SMB size where budgets are much more constrained? Or the technical knowledge isn’t in-house for what to do. You could rely solely on your hosting infrastructure tools. Granted, this is a good option. However, I’m going to argue that you want to go outside of this box and test the front door of your infrastructure independently.

Open-source solutions give you very real options here. There are hundreds of tools out there that can be used for effective real-time security monitoring. Kali Linux is quite a famous distribution that pulls them together into one place for you, but for anyone less than a cybersecurity specialist, the learning curve can be very steep. Much like putting a civilian into a Formula-1 race car and asking them to compete in the Monaco Grand Prix. Also, open-source solutions have great technical capabilities, but their stock reports can be difficult to read. Not hard to understand when you realise these have been designed by engineers.

At CPro, we know that real-time monitoring and metrics display is becoming increasingly more important with every day. We’ve been asked by a number of customers how do we go about this? As open-source enthusiasts, we’re used to using best-in-class solutions and letting our experts read the technical reports, but we rarely send these on a customer, as we know they will only add to the confusion. And so, the motivation to start building an improved scanner was born.

SonarSentry has been designed by two groups. The first is the cybersecurity and DevOps professionals on our staff, who need commercial tools to do their jobs. The second is visual designers, whose job is to turn data into information. (It always amazes me how this group is so often left out of any data presentation work). The result of this collaboration is a solution that not only combines four best-in-class scanners into one super scanner but delivers reports that are beautifully styled and easy to read for even the most non-technical members of a project.

I would encourage any SMB company to talk to us about how we can help you solve your real-time monitoring challenge in a simple and cost-effective way. It’s a solid solution without the baggage of many other bundled services you won’t want and contracts you can’t break.