Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp
If you said “yes” to any of the above questions, our Security Review service is exactly what you need. Security Review complements pentesting — where pentesting provides a technical, concise view of a particular area of the application, Security Review helps to form an understanding of everything elese that is going around the particular area.

Our approach

In Security Review, the jointly agreed target areas are discussed with the customer and various pieces of evidence (artifacts) are gathered. If we come across settings or practices that are not aligned with our independent opinion, we challenge the customer to question these practices and consider whether the implementation could be done in accordance with the reference frameworks — to do it right. We have not and will not reinvent the wheel; we rely on existing official standards, best practices and generally accepted frameworks.
Saku performing a security review
For example, the ISO 27001 security standard is a great resource for use in streamlining technical tools and system administration processes. Using the ISO 27001 and other similar frameworks, we can create a customized question set for each of our customer. Through discussions, we can find out for example the current maturity level of logging policies, elevated privileges management and application platform security settings, by reflecting on existing frameworks. If the target system is in the cloud or there are plans to go into the cloud, we can turn to the Criteria to Assess the Information Security of Cloud Service (PiTuKri). CIS benchmarks are good for detailed screening of specific technologies as well as to support a best practice approach.
Security Review can also help the customer in getting rid of duplicate actions and costs. The starting point might be a situation where the customer’s time is spent unnecessarily adjusting the security settings of the application infrastructure, because the standard security mechanisms of the current cloud service provider have not been effectively implemented.

Examples of questions and claims in a Security Review:

  • Is the need for elevated privileges (including administrator/root accounts and other special privileges) listed by each system, and the necessary individuals identified?
  • On what grounds are special access rights granted?
  • Can a user perform their normal duties using their username, with elevated privileges?

Security Review — from start to finish

Security review subject instructions

We prepare for Security Review by identifying — together with the client — the most relevant target areas (e.g. cloud infrastructure, logging and monitoring, information security for personal data processing), selecting appropriate frameworks, and formulating the interview questions.

We will determine the preliminary material and documents of the interview that the client may need to provide and get acquainted with the material. The selected questions and claims are provided to the client before the actual interview session, so that the session would be as smooth as possible and the both parties have been given a good chance to prepare.

When we’re ready for the interview, it’s go time! Using Teams or a real conference room. We ask our questions, ask for evidence and talk the necessary, clarificationary discussions.

At the end of the project, we submit our report and then review it together with the customer. In the interviews we use the language best suited to the client and produce the final report in English.

The report includes, for example:

  • recommendations for found flaws and topics
  • alignment of recommendations to appropriate frameworks
  • most important processes that are missing or in need of improvement
  • documents that are missing or in need of improvement
  • used and proposed security indicators
  • next steps to compliance, from a technical and administrative point-of-view
Security review report
Team meeting

Auditing

Auditing Auditing in short Auditing means many things. For us, it means customized reviews of systems, environments and processes for our customers. In addition to

Lue lisää »
Redteaming - Search Engine
Blogs

Red Teaming and Recon

Recon and red teaming can be done separately, but they also work hand in hand. It may be a good idea for a company to do a thorough recon to understand the adversaries view on the organization – and this not only in the technical sense.

Lue lisää »
OWASP Top-10 Application Risk
Blogs

What is pentesting?

A common tool used to assess the security of a web application is penetration testing. Known also as pentest. Pentest is a “legal” simulated attack that seeks to use an application in a way that could be harmful to either the system, the data in the system, or the people who use the system.

Lue lisää »
Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

contact us

Please do contact us. We most likely respond faster than you thought,