Forward Security Inc.

Introduce your business and what you do there.

I’m the information security team lead for the company. I report to the director of support and security. We’re an outdoor retailer that provides the ability for Canadians throughout Canada to take advantage of the benefits of getting outside and being involved in outdoor activities.

What challenge were you trying to address with Forward Security Inc.?

We were looking to address security vulnerabilities around our website. We hadn’t done any prior penetration tests on it. We wanted to assess the security of our website and what improvements we need to make. Recently, we switched hosting providers over to AWS. We engaged with Forward Security Inc. to assess our website on the new hosting platform.

What was the scope of their involvement?

Forward Security Inc. did a level two application security risk assessment and a cloud security risk assessment in the AWS environment. The work was split into two stages. The first stage was testing our QA environment, and the second stage was assessing our production and post-production environment.

What is the team composition?

We worked with 2–3 individuals from Forward Security Inc. including, Farshad (Chief Security Officer) and Adam (Application Security Consultant) — he was the main penetration tester that worked with our web team to uncover issues and identify security vulnerabilities.

How did you come to work with Forward Security Inc.?

My manager and director had worked with Farshad in the past. I met Farshad from prior courses. I took a diploma course and a bachelor’s degree at a technical institute, where Farshad taught a security course. We also looked at other companies regarding security penetration services. However, we went with Forward Security Inc. based on past experience.

How much have you invested with them?

We spent around $33,000.

What is the status of this engagement?

We worked together during the middle of COVID-19, from August–November 2020.

What evidence can you share that demonstrates the impact of the engagement?

We measure our success in terms of passing through time spent researching and identifying security vulnerabilities and potential use cases for security breaches. They helped our team identify malicious attempts that could’ve led to a breach on our website.

We’re a retail company and a lot of our business dealings depend on our image. Therefore, a security breach on our website would be a very big concern for us. If there was an impact on our image, it would affect our sales and customers.

They’ve saved us a few weeks to a few month’s worth of time searching for vulnerabilities. Cost-wise, they’ve helped us protect our company against security breaches, which can be very costly in the long run.

How did Forward Security Inc. perform from a project management standpoint?

We had a Slack channel for our web team and Forward Security Inc. to communicate and have weekly meetings. We also set up additional meetings if needed. They kept in touch every week with reports on their findings on our websites. Forward Security Inc. was very accommodating, and they handled the project very well.

What did you find most impressive about them?

Forward Security Inc.’s work ethic was the most impressive aspect of their performance. They continued finding new issues and kept in touch with us while driving the project.

 They are very thorough, and they document everything. If you don’t know your systems inside and out, they’ll work with you to identify and understand your systems. Farshad and Adam had a lot of prior experience and could relate 100% to our environment. They identified potential avenues of attack. Forward Security Inc. knows its business.

Are there any areas they could improve?

The documentation is a double-edged sword. Working with security, you need to have the documentation of your systems for you to understand what they’re doing and identify unexpected and potential malicious behavior. However, we received a few comments from our team members about the amount of documentation that was being generated.

Any advice for potential customers?

Be open to Forward Security Inc. and don’t come in with a closed mindset. Be open to uncovering potential issues that you or your team had never thought of or seen before.

Introduce your business and what you do there.

I’m the senior enterprise security architecture, and I’m in charge of the security program protection desk.

What challenge were you trying to address with Forward Security Inc.?

One of our compliance requirements and something that our internal policy mandated was an annual penetration test. It was an assessment or a web application pen test on our main app. We were using a number of different services, but we wanted to consolidate and run a bigger activity. We hired Forward Security Inc. as our application specialists to help us with the assessment.

What was the scope of their involvement?

We came to Forward Security Inc. without any information upfront. They took a look at our web app to start a scoping exercise pre-contract. Forward Security Inc. had good questions, and they were proficient at helping us scope appropriately. We had a number of budget concerns to stay with under a certain market, and they were able to find a way to drop a statement of work (SoW).

We sent the SoW, and it led to a kick-off meeting where we set out the expectations and defined the one-month period workflow. After that, Forward Security Inc. proceeded to conduct the testing that we supported in the call. They worked with us during that process to both map out the security landscape of the app and confirm any findings. 

Finally, Forward Security Inc. delivered a final report of the findings. They gave us insights into the possibilities and weaknesses of not only the app, but also the approach and management that we had.

What is the team composition?

We’ve worked with 5–6 people throughout the entire project. Forward Security Inc. brought in people with expertise as needed. Mainly, we had one project manager, one penetration tester, and a few other consultants. 

How did you come to work with Forward Security Inc.?

We did a competition — it was like a small quick contest — between local firms in Vancouver for a new feature that we were rolling out last year. Forward Security Inc. was selected to handle the project. We decided to hire them as our primary security consulting company going forward based on their performance.

How much have you invested with them?

We spent around $55,000–$60,000 CAD (approximately $44,000–48,000 USD).

What is the status of this engagement?

We worked with Forward Security Inc. between August 2020–January 2021. We will be working again with them next January for other similar projects.

What evidence can you share that demonstrates the impact of the engagement?

The development process was our initial engagement, and we were very happy with the results and the approach Forward Security Inc. took. It was much more hands-on and involved compared to the previous company we worked with, and they provided better clarity into the nature of the problems and fixes that needed to be done. For the last round, we were pleased with the seriousness of their work and delivered results.

We had a lack of internal documentation, which held back the project. Forward Security was excellent in developing the required documentation. That was great. They were able to point out a number of vulnerabilities and weaknesses within our application and internal management approach.

How did Forward Security Inc perform from a project management standpoint?

The communication was great and well-established. Forward Security Inc. created a shared Slack channel with us to have direct communication with the testers all the time. We also had weekly touchpoints.

Forward Security Inc. used a platform called Burp Suite for penetration testing. They also had experts on our codebase, which was Ruby on Rails. I thought they used a number of open-source tools, but I couldn’t remember the names.

What did you find most impressive about them?

Forward Security Inc. invested in the personal relationship with our business, and it was reflected in their approach. They set up a long-term partnership to understand our security problems better, and as a result, deliver better value.

Adding on to that, Forward Security Inc. used a standardized approach, and it was easier to be integrated into our day-to-day operations. It also helped us understand how they came up with their conclusions and consume the information they produced.

Are there any areas they could improve?

Forward Security Inc. could improve on streamlining the logistics of the documentation, template, and technology. We felt some documents weren’t as well-organized as they could have been. That caused technical issues when we collaborated on them, and it was hard to maintain the document's version.

Any advice for potential customers?

I recommend being prepared to share with Forward Security Inc. as much information as people can. It’s very beneficial to their partnership-style approach. Otherwise, if people share less information, they won’t receive as many benefits as when they are strongly committed to the partnership.

Please describe your company and your position there.

I'm the CTO of our company. We're at about 100 employees and have a publicly-facing web application.

For what projects/services did your company hire Forward Security Inc.?

We hired Forward to perform a security audit of our system and to provide basic security training to some of our development staff.

What were your goals for this project?

Perform an annual security Assessment according to OWASP top 10 and ASVS level 2. Training sessions for developers

How did you select Forward Security Inc.?

We had previously worked with them, were happy with the results and came back for our annual security engagement.

Describe the project in detail.

The project was to pefrom a security audit and penetration test. This was done with our internal security lead who setup a special environment for the team to perform the tests against. Aside from that, our training was a day-long session about the OWASP common vulnerabilities.

What was the team composition?

The project manager and 1/2 security engineers depending on specific task. More were available for the training session.

Can you share any outcomes from the project that demonstrate progress or success?

The team definitely found some potential vulnerabilities we had not accounted for. It was quite thorough and the report they generated gave us plenty to fix. The training session was also fun and interactive. Our company got a lot out of it.

How effective was the workflow between your team and theirs?

Worked well, making a separate production environment really enabled them to try and break our systems while leaving our main production intact.

What did you find most impressive about this company?

The vulnerabilities they found were things we would have never thought about and they found attack vectors that we had not previously planned on.

Are there any areas for improvement?

n/a

Introduce your business and what you do there.

I’m the director of operations at MED49, a healthcare provider software company.

What challenge were you trying to address with Forward Security Inc.?

We are going to apply for a certification from the Ontario Regularity Body. That certificate is called Ontario MD, and it requires us to have an ISO 13485 certificate. For the certificate, we needed a written risk assessment from a professional third-party company. Additionally, for the Ontario MD, we needed a cloud security assessment since our software sits on the Microsoft Azure system. We needed a company to help us with this written risk assessment including the penetration test and the cloud security assessment.

What was the scope of their involvement?

The first phase of the project included two main parts. The first was the threat and risk assessment, which includes identifying all possible security issues or breaches with our software. The second part was performing penetration testing using manual techniques and other software. They played the role of hacker to see if they could access our patients’ information. Afterward, they delivered a report that consisted of their assessment and results. It broke issues down by level: high risk, medium risk, and low risk.

The security assessment made up phase two of the project. It was related to the security of the Microsoft Azure environment that supports our software. They evaluated the configuration we use to upload our software into the cloud server and then developed a report detailing any issues and risks associated with that.

What is the team composition?

I worked with four people. Starting out, Farshad (Founder) provided us with the scope of work and everything related to the project. I also worked with Mathieu (Director of Engagement Management & Operations), Ralph (Application Security Consultant), and one other person.

How much have you invested with them?

We spent around $10,000–$49,999.

What is the status of this engagement?

We worked together from May 2020–January 2021.

What evidence can you share that demonstrates the impact of the engagement?

We got exactly what we wanted. The important thing for us was to have the report and the results accepted by the ISO 13485 standards. We obtained our ISO based on the results that we got. We’re very happy with what was provided. I give them a 100% on the project.

As an electronic medical records software company, we have to repeat our threat risk assessment (TRA) every year, and we’ve already decided we’re going to work again with them.

How did Forward Security Inc. perform from a project management standpoint?

They were very good at taking the lead on the project. Email was the main communication medium for us, and we also used Slack. If we weren’t responsive, they followed up. Forward Security made sure the project was going smoothly. They met the deadlines.

What did you find most impressive about them?

They were very friendly while also being very professional. One time, we had a three-week deadline from ISO. I talked to them to see if they could prioritize our reports, and they worked weekends and extra hours to make sure we met the deadline.

It was very easy to talk to Forward Security. They’re very understanding, and they went beyond their responsibility to make sure we met deadlines.

Are there any areas they could improve?

Email is easy, but perhaps Forward Security could offer an online account where customers could see their project.

Do you have any advice for potential customers?

They’re very responsible in taking the lead on projects. If someone wants to work with them, they shouldn’t have been concerned. If you’re responsive enough in providing the information that they need, they won’t have any problems.

Introduce your business and what you do there.

Neo Financial is a Canadian fintech company. We provide everyday banking services in Canada and we employ a few hundred people. I’m one of the co-founders of the company and the head of product and engineering. 

What challenge were you trying to address with Forward Security Inc.?

We’ve engaged Forward Security as a consulting company to provide us with advice on how to improve our digital security. In addition, we’ve collaborated with them to examine and audit products that we’re building as well as the security measures we put in place to make sure they are world-class. 

What was the scope of their involvement?

When we reached out to them, we already had a specific engagement proposal. In their case, their focus has been to evaluate the security of our mobile apps. 

We typically go through a question and answer session where we share information with them about our product, how we built it, how they were designed, and what's the goal of our products. After that, they come back to us and propose a statement of work. For example, with our mobile apps, they’ve done various things including a security assessment, security testing, and more. 

What is the team composition?

They have a team of about five security engineers. I’ve also worked with their CTO and he has driven some of the engagement and made sure that the overall plan and strategy is solid. We usually talk one on one with every person on their team. 

How did you come to work with Forward Security Inc.?

We knew we wanted to engage a third-party security company with a history in the banking and financial space. We wanted them to be in Canada and they should have a hands-on approach. 

When we started researching options, Forward Security came up together with an approximate list of 10 other companies. Aside from “investigating” them, we also talked to them and filtered down the list to three firms. 

What is the status of this engagement?

We probably started around September 2020, and we’re still working together.

What evidence can you share that demonstrates the impact of the engagement? 

We’ve been satisfied with their projects, and we’re now on our third engagement. I’m very happy with their work and the value they’re providing. 

A lot of companies in this space don’t really listen and talk with their clients, and they don’t ask questions. Some of them are not very engaged with their client’s business as well. They’re only focused on running some software or automated tool where they’ll be scanning products and the tool just submits a report. 

However, Forward Security is the opposite. They have a hands-on approach and they ask questions. When we give them answers, they have follow-up questions and digs deeper into what we want. 

How did Forward Security Inc. perform from a project management standpoint?

Their project management and communication is first class and I couldn't ask for it to be better. Before starting a project, they quote the price and place an engagement kickoff date. Once we agree to the team's proposal, we start the project and share the product with them. 

We usually have weekly meetings, but it heavily depends on their scope of work. They’ve consistently submitted reports concerning the updates and state of their assessments. The team makes sure that when they present the reports, they walk us through every item to make sure we understand everything. 

Some of the reports are risky and some are not, but what’s important is that Forward Security gives us advice on how to best address those risks. Then, once we know about it, we go to our product and engineering teams, and they roll out future versions of our products. We’ve really performed updates and improvements based on their advice. 

What did you find most impressive about them?

They have a great process for engaging their customers. Forward Security is transparent throughout every progress they make. Additionally, they make sure that we’re happy as the project continues.

Their deep understanding and experience in the financial sector have been impressive. I can’t speak to other industries, but they know digital security and understand financial software systems and technology, which have been really valuable to the engagement. 

Are there any areas they could improve?

They deliver good value, but perhaps they can give a lower price. We’re on our third engagement now, but I’m not sure that we’ve been necessarily carrying the knowledge forward. It might be a good idea to know a lot of information about our company and products. Perhaps, they can also help us shorten the next engagement and be more efficient, but honestly, it’s a very minor thing. 

Do you have any advice for potential customers?

If you’re looking for a quick solution that does the minimum and just checks the boxes, then maybe you should not engage with the team. Forward Security is serious about getting honest and providing highly technical feedback. If you really want a team that will dig in and adds value to your security team, then work with Forward Security. They’re a great company to work with.