Management Consulting
Aon
Full Credential Description
Fullstory faced significant challenges in selecting a penetration testing vendor that could meet their specific needs for security assessments. They required a partner that utilized a combination of source code review, static, and dynamic testing approaches, as many firms relied solely on automated testing, which indicated a lack of expertise. Fullstory emphasized the importance of having resources familiar with their in-scope programming languages and technologies, preferring firms with full-time employees to ensure quality control and a long-term relationship. Additionally, they sought vendors that could provide a customer-facing deliverable (CFD) to effectively communicate findings, and they often required CREST-accredited vendors to ensure rigorous assessments. To maximize the effectiveness of their pentesting engagements, Fullstory and Aon established clear objectives and metrics from the outset. They recognized that the process of sourcing a vendor, defining the scope, and receiving a final report could take up to four months. To mitigate potential issues, Fullstory ensured that Aon understood the driving forces behind the engagement, including explicit deadlines and the technologies that required coverage. They maintained open communication throughout the scoping and drafting phases, sharing previous examples of reports and documentation to clarify expectations. During the pentesting engagement, Aon implemented several strategies to enhance efficiency and effectiveness. They gained access to Fullstory's full source code, which allowed for a more thorough assessment and reduced the time needed for pentesters to reverse-engineer application functionality. Collaboration with Fullstory's development teams enabled Aon to run local builds, facilitating targeted testing and proof-of-concept exploits. Regular kickoff calls and real-time communication through group chats allowed for dynamic discussions about application logic and security controls, which were crucial for identifying high-risk areas. The proactive communication approach adopted by Aon was instrumental in identifying and addressing blockers early in the engagement. This collaboration fostered trust and alignment, contrasting with past experiences Fullstory had with other consultancies where issues were only raised at mid-point check-ins. Aon's commitment to transparency and responsiveness throughout the engagement ensured that both teams could effectively address vulnerabilities and prioritize remediation strategies. Ultimately, the collaboration between Fullstory and Aon resulted in a more mature security posture for Fullstory. The engagement not only identified vulnerabilities but also led to improvements in their security practices, such as modifying static code analysis tools to detect additional vulnerabilities. The detailed discussions between the teams about risk severity and remediation options highlighted the importance of a collaborative security culture, which was reflected in the thorough documentation and understanding of the security landscape that emerged from the engagement.