What evidence can you share that demonstrates the impact of the engagement?
We have 1.2 million lines of code. They’ve only checked about 10% of the code to date, partly because we continue to add new code. So they’re making good progress, but it's going to take us a while to catch up. They’ve found 40 vulnerabilities in the system, and we've fixed 12% of those. We currently have 552 open vulnerabilities in a total of 36 findings.
How did Fluid Attacks perform from a project management standpoint?
Most of our interactions take place through their client portal. When they find a vulnerability, I'll get an email from the portal letting me know. We create a ticket on our internal system just to keep track of the work that needs to be done. Once we finalize the fix and roll it out to production, we go into the portal to let them know. Then they change the status in the portal to pending review. They'll look at our code and test it again to see if we actually fixed the vulnerability. Once they test it and it's okay, they'll mark the issue as closed in the portal.
What's cool is that if my team has a question, we can also post a question to their team in the portal. They provide us with really good advice and suggestions for solutions we hadn’t thought of yet. Their response times are pretty fast, which is really important to me.
What did you find most impressive about them?
Fluid Attacks has done an amazing job of identifying holes in our security that we never knew about. We just weren't aware of so many potential issues. They're able to come in and tell us what we need to do in order to protect our platform. They add a lot of value by making sure that we have everything in place. I plan to engage with for as long they continue adding value.
Historically, penetration testing used to be expensive. I really like that Fluid Attacks charges a monthly fee based on the volume of your source code. Security is one of those things you have to pay no matter what, and with them we have an expert vendor that really takes care of us.
Are there any areas they could improve?
The portal was our biggest area of concern when we first started working together. I regularly called the owner to complain, but to also offer suggestions of how they could make it better. At one point I said, “If you really want us to work with you, you need to make it efficient.” I gave them a lot of feedback on features we wanted to see in the portal. They ended up putting a lot of resources into it, and now it’s great.
Any advice for potential customers?
My advice is to be very straightforward. If you know that there’s an existing issue, it's better to tell them upfront. Likewise, let them know if you’d like them to focus on a particular area. We’d put a lot of resources into our API but we figured there was probably a lot of holes in it. We let them know so that they could work on fixing that part first.