Are you sure that your organization is fulfilling its requirements of information security? Do you know which steps to take to meet these external and internal security requirements?
We help our clients align their products and organizations with major security standards prior to expensive audits of certifying authorities. Advance preparation makes compliance certification easy, saving your money on extortionate rates of certifying auditors.
Achieving PCI DSS compliance
Gap Analysis – Review all controls through interviews, documentation reviews and technical testing to provide a detailed understanding of gaps in PCI compliance. This understanding is critical when planning remediation projects, particularly for companies working on firsttime compliance.
PCI Penetration Testing – To use industry best practices to conduct an internal and external penetration test to meet the requirements of the 11.3 controls within the PCI DSS. Conduct network and application-layer penetration testing to validate that PCI controls and segmentation are in-place. We also test for vulnerabilities that could lead to the compromise of systems or sensitive data.
Remediation Assistance – We understand that PCI validation absorbs time, money, and other resources that could be used to grow your business. Our work with you to fix areas of noncompliance and expedite the retesting process to ensure a timely assessment.
Achieving HIPAA compliance
Discover – Data, ePHI and other information in need of protection.
Access – Identify gaps and areas of improvement in your current program.
Prioritize – Focus efforts on areas of greatest impact to your HIPAA compliance and security efforts.
Plan – Develop a plan to establish a long term program with oversight and measurement.
Build – Provide technical expertise and support as you advance your security program.
Run – Optimize documentation efforts for efficient, continuous compliance.
Achieving SOC 2 compliance
SOC 2 reports specifically address one or more of the following five key system attributes / domains:
Security – The system is protected against both physical and logical unauthorized access
Availability – The system is available for operation and use as committed or agreed
Processing integrity – System processing is complete, accurate, timely and authorized
Confidentiality – Information designated as confidential is protected as committed or agreed
Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA
SOC 2 Services include:
Gap Assessments – assess the controls in place to meet the Trust Services Principles and Criteria with the goal to ensure preparedness for the SOC 2 examination and help mitigate the risk of a qualified opinion or reporting exceptions.
SOC 2 Type 1 – Report on the service organization’s operational controls pertaining to the suitability of the design of controls intended to meet the selected Trust Services Principles and Criteria as of a point in time.
SOC 2 Type 2 – Report on the service organization’s operational controls pertaining to the suitability of the design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria over a specific period of time.
Make service availability great again
Information availability is one of the 3 pillars of Information Security.
Our solutions for high service availability are divided into application availability and system
and network availability groups.
Application availability is achieved by security analysis of application Denial of Service conditions and through performance engineering.
Security DoS conditions
This is one of the most severe classes of Denial of Service attacks as it normally only requires a single attacking machine to take down an application server. There are many prospective areas for security review of application DoS conditions, specifically – improper handling of data, encryption and compression services, data parsing and processing, user session management, etc.
In our many years of experience, we are yet to see the first web application that would not be susceptible to application level DoS before its first availability security assessment.
It’s an extensive and complicated field of knowledge that requires a lot of software engineering skill and performance testing know-how. To ensure optimal application performance under load, our experienced performance engineers perform architecture performance review, back-end and front-end performance profiling, code review, analysis of Virtual Machine and Garbage collector utilization, and suggest performance optimizations.
This can have a dramatic effect on application performance and the number of users it can service with the same hardware and running cost. It also significantly raises the bar for a DDoS attack, requiring a much larger offending botnet to achieve Denial of Service.
System and network availability
We actively develop 2 solutions for DDoS protection and use them for anti-DDoS subscription services.
They are highly customizable, allowing for swift adaptation to new attack types.
Filter is a highly secure, attack sensing filtering HTTP proxy. It’s designed and configured with a multitude of heuristics determining whether an HTTP request is from a legitimate user, of from an attacking bot.
Filter can protect from all widespread DDoS attacks on HTTP/HTTPS protocols, including SYN flood (on OS level), slow HTTP, GET and POST flood.
One Filter server with modern specs can process 30.000+ HTTP requests per second, which is enough to fend off a small-to-medium botnet. The system is designed for easy unlimited horizontal scalability if more filtering servers are required.
For maximum security, Filter is designed to be coupled with ModSecurity and Naxsi. Additionally, Filter exposes a JSON API that allows the protected application to control filtering of incoming requests.
Perimeter is a modular, highly customizable, software attack sensing packet filter designed to fight flood traffic on network borders.
Technically Perimeter is a transparent Ethernet bridge. It can process 802.3 ethernet, 802.1q VLAN, Q-in-Q packets, and is fully compatible with LACP. Perimeter is completely transparent for VTP, Spanning tree and other non-IP protocols.
Perimeter automatically detects and blocks flood traffic based on IP level network info, protocols used, TTL, IP and TCP flags, ports, packet sizes, TCP/IP anomalies, GeoIP info, and can initiate traffic blocking on BGP protocol level (black hole) if necessary.
Perimeter supports Juniper FlowSpec for manual filtering management of unlimited Perimeter instances from a single control center. Traffic statistics are available in a web-based control panel.
Perimeter is a high performance software system, processing 8.000.000+ packets per second on Intel Xeon firstname.lastname@example.orgGhz/Intel E1G42ET Ethernet.
Our Security Operations Center monitoring service provides 24x7x365 threat detection, compliance monitoring, and SIEM and Log Management at a fraction of the cost of alternate solutions.
Effectively managing and monitoring your threats and security events requires an intricate balance of skilled people, streamlined processes and fine-tuned technology. This challenging task is made even more difficult with evolving compliance demands, talent shortages and tight budgets.
Security Monitoring is a subscription service that combines people, process, and technology to deliver an effective information security monitoring program, including:
For our Security Monitoring service, we developed and actively support a Splunk Enterprise Security based SOC Portal. It’s the central command center for your information security program. As part of Security Monitoring, the SOC team will filter thousands of events down to a single snapshot of your current security and compliance posture, so you can quickly determine what needs your attention.
Our SOC Portal gives you the ability to drill down on any security incident to find the incident details provided by the SOC team. These incident details include Cause, Impact, and Remediation Guidance.
With our Security Monitoring, you no longer need to dig through thousands of events or analyze raw log files to determine what is happening in your network and what to do about it.
Hacking software before the bad guys do is our bread and butter
The most cost-effective way to secure software is to make security an integral part
of the on-going development process.
Securing while developing:
- Saves money
- Supports compliance
- Lowers time-to-market
- Provides maximum security
We leverage evil hackers’ techniques, for good – to find security weaknesses in your software. To ensure vulnerabilities are fixed correctly, our experts work closely with clients’ R&D teams, advising on countermeasures applicable in each specific situation and verifying their successful fixing.
We always encourage our clients to combine Application Security Testing with Security Code Review. Seeing the application’s internals helps identify many more issues in the same time-frame compared to “black box” approach.
Upon client request, SoftSeq will provide a Security Assurance Certificate for the examined application and scope of testing conducted.
Security audit and certification
Full security compliance audit to OWASP ASVS requirements provides the most complete coverage of your application’s security gaps. Rigid framework and repeatable nature of OWASP ASVS audit allows you to assure customers of your product’s strong security posture.
We help you achieve compliance by providing effective remediation solutions, which are re-tested after implementation. In the end, we issue a formal Certificate of Compliance and a complete audit report that will satisfy even the most demanding of your customers.
Security engineering services
High security at low cost is only possible when security is embedded into software development lifecycle. We assign security engineers to projects where they assist during all development stages.
In extended engagements, they acquire intimate knowledge of your product which boosts their efficiency greatly.
Security Automation Setup
Computer labor is cheap. Optimize your spending on security by automating security checks during the development process.
We offer unique in-house designed solutions that are fine-tuned to integrate with your application, leaving general purpose security tools in the dust.
Securing Application Architecture
Bugs in architecture are incredibly expensive to fix, making secure software design essential, yet many companies aren’t large enough to employ an Application Security Architect. We address this issue by providing security architecture services with exactly the scope you need.