Berezha Security Group

Please describe your company and your position there.

My name is Danylo Prokopiv and I am a Chief Product Officer at a technology provider and product development company. We develop state-of-the-art software solutions for the manufacturing and construction industries. These include Manufacturing Execution System (MES), Supply Chain Management System and others. Our company has a global presence with a large partner network serving our customers for over 40 years.

For what projects/services did your company hire Berezha Security Group?

We are developing a SAAS MES solution to serve multiple industries on a global scale; Secure Software Development Principles is one step in delivering secure solutions, and we were looking for professional, expert cybersecurity and secure software development training to raise awareness of this area among our developers.

How did you select this vendor and what were the deciding factors?

We searched the software development community and Berezha Security Group was recommended to us among five other organizations (UK, Ukraine, USA). After a series of introductory calls, a decision was made to cooperate with BSG. Even though our organization already had a certain level of cybersecurity expertise, we made the decision to start from scratch with planned improvements along with product expansion. The first step was to conduct a training on developing secure software and raising awareness.

Describe the project in detail and walk through the stages of the project.

They started with an overview of the organization, product and roadmap, technology stack and/or roadmap. Based on this, a software security improvement plan was outlined, consisting of secure development training and awareness-raising, software auditing including penetration testing, etc. This review is based on the initial Safe Development and Awareness Training conducted in December 2021. This training covered several subject areas, namely: introduction to cybersecurity, security awareness, secure development platforms, security testing, secure development.

How many resources from the vendor's team worked with you, and what were their positions?

We had a project manager and two specialized trainers

Can you share any outcomes from the project that demonstrate progress or success?

The training was conducted in English, very professional, with expert knowledge, but understandable for the whole team. The training was based on the specifics of our product and technology stack. The material was presented in a rather concise form, but with great potential for further self-education. In general, our entire team was very satisfied with the volume and level of knowledge that we received during these 15 hours.

How effective was the workflow between your team and theirs?

The training team did a great job of compiling the training material; they answered our special questions and returned when needed. Each session was accompanied by training notes, links to external materials, and a video recording. Communication was efficient and timely.

What did you find most impressive or unique about this company?

This is a company of true fans of their business. we could feel the passion and professionalism in their team. The fact that BSG supports software security initiatives (such as OWASP Ukraine) within the software development community is a telling factor.

Are there any areas for improvement or something they could have done differently?

can't think of any at the moment

Introduce your business and what you do there.

I’m the head of development and a digital banking consultant for Credo Bank. It’s a large Georgian bank.

What challenge were you trying to address with Berezha Security Group?

We needed a security assessment and testing done on all of our digital channels, including internet and mobile banking.

What was the scope of their involvement?

Berezha did security testing on the structure of our systems and codes. After, they provided reports, along with recommendations for repairs. We will have them retest us once the repairs have been made.

What is the team composition?

We work with 5–6 people, including a project manager and several engineers.

How did you come to work with Berezha Security Group?

Our cybersecurity resource found them. They were chosen based on their reputation and ratings.

How much have you invested with them?

We’ve spent more than $25,000 so far.

What is the status of this engagement?

We began working together around April 2021, and it is an ongoing relationship.

What evidence can you share that demonstrates the impact of the engagement? 

Berezha is professional and works extremely fast. For example, we had a meeting on a Monday, and they were working on the task we discussed by Tuesday. In general, we’re quite happy with everything they’re doing.

How did Berezha perform from a project management standpoint?

They provide detailed reports and excel at keeping timelines. We have Zoom meetings and use Microsoft Teams for communication. They also have some other tools, but I don’t recall the names.

What did you find most impressive about them?

Berezha’s team pushes to make sure that they’re doing high-quality work. We are all comfortable working with them.

Are there any areas they could improve?

There was a minor language barrier, but it wasn’t serious at all. 

Introduce your business and what you do there.

I’m the CEO of Vispato. We offer an online whistleblowing system for companies.

What challenge were you trying to address with Berezha Security Group?

We hired Berezha Security Group to work on security testing for our solution.

What was the scope of their involvement? 

Berezha Security Group mainly provided penetration testing for our whistleblowing system. To start, they did a complete security assessment of the software, performing penetration tests over the course of several days. It was more or less a manual process, though they also used Burp for support. They examined the inside and outside of the application to make sure that there were no vulnerabilities in the software. 

What is the team composition? 

We dealt with about five people, with 3–4 resources on the project itself. That included a head of security, a product manager, and two penetration testers.

How did you come to work with Berezha Security Group?

I found them through a personal recommendation. It’s always good when you know someone who’s worked with a vendor before, so that was the main reason why we decided to go with them.

How much have you invested with them?

We’ve spent €5,000–€£6,000 (approximately $6,000–$7,000 USD).

What is the status of this engagement?

The project for Vispato took place in February 2021. It was a one-time engagement, but we’ll likely have them do a security assessment for our other company, Auditi, too. In that sense, I’d say that the contract is still ongoing.

What evidence can you share that demonstrates the impact of the engagement?

Overall, we were very satisfied with Berezha Security Group’s results. They stood out because they were very thorough in their tests and covered a lot of bases. The communication and reporting that they did were great, too.

A security assessment is very difficult to evaluate. However, we do have quite a bit of experience doing penetration tests with other companies, so I know what to expect out of these engagements.

How did Berezha Security Group perform from a project management standpoint?

They managed the engagement well — it was very professional. We dealt mostly through email and Slack. Regarding timing, there was no particular deadline for the deliverables, but they were quick with the project. The team started right off the bat with no delays. 

What did you find most impressive about them?

Berezha Security Group had very good credentials and references.

Are there any areas they could improve?

No, I was very satisfied with the whole project. I didn’t experience any negative points during the project — otherwise, we wouldn’t be working on the second assessment for our other company. 

Do you have any advice for potential customers?

Their team behaves professionally and knows what they’re doing, so there’s not much advice needed.

Introduce your business and what you do there.

Unifonic is a cloud communication service provider in the Middle East. I’m the software engineering manager for the company.

What challenge were you trying to address with Berezha Security Group?

We were trying to improve security within our cloud software. We wanted to be aware of the status of our security, and that’s why we went to Berezha Security Group.

What was the scope of their involvement?

First, they took a look at our current cloud infrastructure security. Berezha Security Group then tried to breach our systems. We gave them access to our platform as though they were one of our customers, and they tried to break into the system.

They came up with a summary of what they were able to achieve and the holes they found in our system in a report that covered our infrastructure and software.

We provided information on the systems for testing. We gave Berezha Security Group a bunch of IP addresses, hostnames, and credentials for logging into the system. The documentation amounted to a couple of pages.

They performed a scan on our AWS accounts. On the infrastructure side, they checked for best practices for our two-factor authentication system and the safety of API keys and passwords. They checked S3 buckets for the existence of policies that were always permissive or open to abuse.

They checked our software from a customer perspective, doing things like cross-site request scripting. They tried to do SQL injections in order to hijack other customers’ sessions as well.

The output was an executive summary stating how they tried to compromise our system and what they were successful in achieving. They also detailed where we were trailing in terms of cloud infrastructure best practices.

What is the team composition? 

There were at least two engineers involved, along with one of their VPs.

How did you come to work with Berezha Security Group?

We found around four vendors through Clutch and contacted them. Berezha Security Group came across as the most knowledgeable. They felt like real hackers, and that’s what attracted me to them. Based on our conversations, they knew what they were doing.  

How much have you invested with them?

The total spend was $7,000–$7,500.

What is the status of this engagement?

The project ran between September–November 2020. We also got a free retest, after going through the report and fixing what was identified. Berezha Security Group came back in January 2021 for that.

We might consider them for another round of work as we implement standard practices within the organization.

What evidence can you share that demonstrates the impact of the engagement?

It would be hard to directly gauge the impact because it cuts across multiple areas. Berezha Security Group opened our eyes to a lot of things that we weren’t even aware of. They pushed us into taking security a lot more seriously, encouraging us to create a security organization within the engineering department.

How did Berezha Security Group perform from a project management standpoint?

They were excellent in this regard. There’s nothing negative that I could say from a project management perspective.

The initial communication was over Zoom meetings, and we interacted over Slack once the project started. They told us what they needed in the beginning, and they delivered a report at the end.

What did you find most impressive about them?

We weren’t as organized as we could’ve been, but they were very patient and flexible. 

Are there any areas they could improve?

If anything, we were the ones lacking in organization. It’s difficult to see room for improvement on Berezha Security Group’s side. They did a very good job.

Do you have any advice for future clients of theirs?

Clients should be proactive in getting Berezha Security Group what they need. They know their stuff. If they say they’re going to start on a particular date, they will. If the client is late on their side, they’ll end up delaying their own project.

Please describe your company and your position there.

Demio is a hassle-free webinar platform built for marketers. With our platform, companies can generate leads, filter prospects, perform group demos, host engaging sales presentations, integrate with their CRM, view advanced webinar reporting, track conversions, and more.

 It’s truly unlike any other product on the market. I am one of the co-founders here at Demio and help run the operations and general administrative functions.

For what projects/services did your company hire Berezha Security Group?

Demio is always looking to improve and we've put a big emphasis on the security/privacy aspect of our engineering in 2020. We ended the year with a full-service penetration test to find any weak points in our architecture. We searched for a quality penetration testing company and found Berezha Security Group as a highly rated company, already recommended.

What were your goals for this project?

Our goal was to have a full breakdown of any security or privacy issues within our SaaS architecture. We are always looking for ways to operationally improve, but in this instance, we wanted to find any technical items we may have missed. This serves to provide a safer experience for our customers, reduce risks to the company, and make it easier to scale.

How did you select Berezha Security Group?

One of our Senior engineers recommended a list of certified vendors and on this list was the highly-rated Berezha Security Group. The Demio Director of Engineering lives in Ukraine and was in the same city/timezone as Berezha. This made communication a breeze and perfectly synced timezones.

Describe the project in detail.

Once we reached out, the Berezha Security Group worked with us on a timeline and project scope for the project. We had a shorter timeline and they were generous enough to find a way to get a schedule for work through the end of the year and on our timeline.

They joined the Demio Slack group and aligned with our Engineering team to walk through the Demio application and architecture. They were able to view both the user experience and gained access to an account using a non-production environment. After the penetration testing, we spent time on a call to review the report and individually view/diagnose any problems that were found.

They work to outline risks by different categories and are realistic in both the business and privacy concerns each one holds. You can then run a re-test when we complete the findings.

What was the team composition?

We spoke and worked with the CEO/Founders to set up the project and had a project manager and security engineers inside of the Demio team. The project flowed smoothly with communication and calls.

Can you share any outcomes from the project that demonstrate progress or success?

With the help of Berezha, we've diagnosed all pending issues on our production servers and closed 50% within the first week. We've then used their risk categories to outline new changes for the future, based on priority in our current roadmap.

How effective was the workflow between your team and theirs?

Our workflow was very smooth. The fact that both our Director of Engineering and the Berezha team were in the same city made the timezones work out perfectly. English was perfectly communicated and the report/findings were extremely thorough.

What did you find most impressive about this company?

Just how helpful they have been through the process. They were there to guide us through each step of the penetration test and understand the business use case almost immediately. This made getting the results a breeze.

Are there any areas for improvement?

We felt that Berezha firmly upheld their promises and delivered the test on time, on budget, and with great communications. We look forward to working with them more in the future.

Introduce your business and what you do there.

We’re a health company that serves doctors and patients in managing medication. I’m the CEO.

What challenge were you trying to address with Berezha Security Group?

We hired them to handle penetration testing following a software development project our company completed.

What was the scope of their involvement?

They were responsible for testing two web apps as well as our native apps. Working remotely, they provided a set of testing credentials for both doctor and patient users. Their job was to use as many techniques as possible to attempt to compromise the system. 

What is the team composition?

We worked with about four people, including a business representative, a senior software engineer, and two junior software engineers. 

How did you come to work with Berezha Security Group?

I found them on Clutch, which was quite useful in my search. We found that their services were in our price range and ranked toward the top of the page. Our team reached out to the top 4–5 vendors on the site, and they were highly engaged. They also offered a very reasonable price, so we hired them. 

How much have you invested with them?

We spent about $10,000 on the work. 

What is the status of this engagement?

We worked together from November–December 2020.

What evidence can you share that demonstrates the impact of the engagement?

They produced an extensive report detailing their findings and recommendations. Once our team implemented their recommendations, they provided a follow-up testing. To verify the robustness of their work, we had an external coder look at the product. They confirmed that they approached the penetration test using best practices and were quite thorough in their work.  

How did Berezha Security Group perform from a project management standpoint?

Their communication was excellent, and they did very well with deadlines. We had a situation that required us to move very quickly on our end. They ramped up speed along with us, working around the clock and on weekends, to help get things done.

What did you find most impressive about them?

They were extremely upfront and transparent with us. I appreciated that they communicated recommendations in a clear, straightforward way. They even helped some of our developers in the process. It was great to have a partner that was completely transparent about what we could expect from them and what they could not do. Most vendors want to sell the dream rather than the reality, so their honesty was appreciated. 

Are there any areas they could improve?

I think they’re doing a fairly excellent job with what they’re doing. I’d love to see their business expand into other areas such as reviewing general compliance standards. 

Do you have any advice for potential customers?

Have your software engineers primed and ready to be completely responsive to their team. Sometimes, their team will identify critical vulnerabilities that need to be fixed instantly. Ensure your team is prepared and not feeling at all threatened by the presence of a penetration testing team.

Please describe your company and your position there.

I'm Head of IT Security at Parimatch Tech. Parimatch Tech - is a technological company which focused on making innovative products for gaming industry.

For what projects/services did your company hire Berezha Security?

We have our internal security awareness program and need to external stress test for employees to be sure that all of employees understood and use at least basic IT security rules and don't click risky emails.

What were your goals for this project?

We want to make "fake" phishing email company to motivate employees click our link and give their production credentials. For sure we wanted all employees successfully pass this exam and don't give credentials to "bad guys"

How did you select Berezha Security?

We searched mature external team or company with proven record at pentests and social engineering. Company or team need to be located at CIS region or perfect understand ukrainian mentality to make most effective phishing campaign

Describe the project in detail.

Our plan for this project was:

1. Initial meeting when we discuss our request in details
2. Technical meeting when we discuss technical realization and provide some internal information which should help to make phishing more applicable and effective. Also we discuss communication channels for this activity and create work chats at messenger. Berezha gives us PoC for web UI which collect credentials and PoC for collecting 2FA.
3. In addition we define list of internal recipients. as a part of our project before 2nd meeting Berezha collect list of 150+ recipients from internet by themselves using OSIOT methodology
4. At the third meeting we discuss results and pentest report. We defined some GAPs for 3rd party VPN solution and detect our zone for improvements at security awareness activities

What was the team composition?

We have one of the best team consist of application security lead, application security analysts and co-founder of Berezha security, LLC Each team member played valuable role for success of our project. From PoC of technical solution for collecting credentials and 2FA to developing concept of phishing mail.

Can you share any outcomes from the project that demonstrate progress or success?

1. We defined our readiness for phishing campaign
2. We re-evaluate threats for our corporate infrastructure
3. We make few additional trainings for staff about social engineering
4. We create few new monitoring controls for our customer activity This project gave us opportunity to review our standard approaches to social engineering education and demonstrate/measure impact for our infrastructure in cases of not aware admins click some malicious links and shared credentials

How effective was the workflow between your team and theirs?

In general we have excellent communication during the project. Because this was summer - we faced with vacancies period - so initial estimations of our project increased but we were ready for this changes. It's very useful and comfortable to communicate via messengers - not emails with project team so we discussed each issue and opportunity in a short time

What did you find most impressive about this company?

Berezha security always do their best and always demonstrate complex approach to solve any issues and difficulties at each our joint projects. It's amazing experience to work with such diligent and attentive team of professionals

Are there any areas for improvement?

Berezha security - one of the best team focused on pentests and security awareness. For sure, as a mature professionals their very good know all areas of improvement for their work. From my side - I should say that it's very difficult to find time in acceptable terms for collaboration so please hire new staff to make your services more accesible :)

Please describe your company and your position there.

I am a deputy head of Information security division in one of the leading commercial banks on Ukrainian market. I am creating this review on behalf of CISO of our bank. My company has more than 2500 employees. My main responsibilities is to properly organize and oversee acceptable level of information security and cybersecurity in my organization.

For what projects/services did your company hire Berezha Security?

Our company required efficient training services for our IT staff and IT management staff in the field of cybersecurity.

What were your goals for this project?

The goal was to raise the level of cybersecurity awareness of our IT staff to introduce to our developers and IT management modern trends in the cybersecurity field and present modern approaches in integrating security requirements and features in existing SDLC processes.

How did you select Berezha Security?

The general pitching process was organized by our internal Procurement division according to strict internal rules. After the pitching process, Berezha security had shown the highest competences and experience level in the Ukrainian market.

Describe the project in detail.

Representatives of Berezha security had conducted a series of meetings with our representatives in order to collect desired topics to be introduced during training. After the meetings, they have introduced separate refined training programs according to our demands.

Additional specific lab and use case was developed exclusively for our demands. The training was developed according to the demands of different kinds of our development teams (e.g. Desktop development, Web-platform development, etc.)

What was the team composition?

The team was composed of a leading trainer with two additional lab specialists to introduce the most technical expertise during the session.

Can you share any outcomes from the project that demonstrate progress or success?

All participants highly noted the format and content of the training. What I would especially like to mention is the ability to convey complex things to the participants in simple words. The whole period of training was friendly and in general all participants felt comfortable.

We would also like to mention the stand, demonstrating the vulnerabilities of desktop software applications. This demonstration was very useful for our developers and especially useful during the management session. In general, the training exceeded all of our possible expectations.

How effective was the workflow between your team and theirs?

The workflow was plain and simple. The communication was organized and the highest level possible using modern tools available.

What did you find most impressive about this company?

Their ability to explain complex things in a simple way was amazing. The charismatic trainer and examples from real-life made the discussion good. There was less theory and more practice and live experience during the discussion.

Are there any areas for improvement?

Although there is always a way to make things better in the scope of our project we can`t think of any improvements that could be introduced. Everything was a top-notch level of service and experience for us.

Please describe your company and your position there.

We are Clario, a consumer-focused cybersecurity company on a mission to change an industry. Over 800 professionals including over 600 digital security experts, with the one common goal of digital security for all. We’re bringing change and a next-generation digital security solution. I'm a Security Engineer.

For what projects/services did your company hire Berezha Security?

We want to increase knowladge every developer, QA, system administrator, and R&D specialist about application security deep learn.

What were your goals for this project?

Deep learning knowledge about application security.

How did you select this vendor?

We hear that Berezha Security's the most famous company in Ukraine, also they have really good specialists, and makes a lot of public activity.

Describe the project in detail.

We have 5-day training for our developers, QA, R&D specialists, and Security Engineer. The trainer was a really deep knowledge person, also certified specialists with 10 years of practice in Cybersecurity.

What was the team composition?

Application Security trainer

Can you share any outcomes from the project that demonstrate progress or success?

Developers teams are implementing the knowledge that they have taken from this course in our products and services.

How effective was the workflow between your team and theirs?

They have really good communications, also we have communications channels.

What did you find most impressive about this company?

They really want to improve cybersecurity knowledge in their customers.

Are there any areas for improvement?

Everything is fine.

Introduce your business and what you do there.

I’m the information security manager at a software development company.

What challenge were you trying to address with Berezha Security?

We needed our annual penetration testing done. We also had some internal challenges, such as educating our employees, that needed attention.

What was the scope of their involvement?

Berezha Security performed a full black-box test. They performed SSID coding, created a fake WiFi network in an attempt to get employee credentials, conducted encryption of laptops, and “hacked” us to test our security. Their team prepared fake websites to catch any phishing and tested our endpoint protection, providing a detailed report of their findings to help us understand any breaches we had.

What is the team composition?

Vlad (VP of Business Development) was the project manager and point of contact. There were a few engineers as well.

How did you come to work with Berezha Security?

Berezha Security is a well-known company in the area. Also, I’ve known Vlad for many years and worked with him on many projects.

What is the status of this engagement?

We worked together from March 2018–March 2020.

What evidence can you share that demonstrates the impact of the engagement?

We like the high-quality level of their work. Their specialists are certified, enabling us to show proof that our penetration testing was done by professionals.

How did Berezha Security perform from a project management standpoint?

They’ve always met deadlines on every project. Their team fully achieved our requirements.

What did you find most impressive about them?

Their unique approach sets them apart from other companies. Berezha Security develops their own scripts and their standard scanners can be blocked. They have vast technical knowledge and are able to find a lot of issues using different resources.

Are there any areas they could improve?

Their system has missed some smaller, less-critical yet important breaches. If they were to scan first, they might find those breaches to report.