Forward Security Inc.

Introduce your business and what you do there.

I’m the chief legal officer of TreeFort Technologies Inc., a legal technology startup operating in the digital ID space.

What challenge were you trying to address with Forward Security Inc.?

Forward Security helped us with the security of our system.

What was the scope of their involvement?

We’ve engaged with Forward Security twice. For our first engagement, they guided us through a SOC2 process (Service Organization Control 2), which was basically the first level of our security analysis. During this process, they worked with our technical team to review our system. They conducted a lot of interviews and discussed the architecture of our platform, including the type of information that this platform stored. Then, they helped us identify risks in areas where we needed to improve.

On the second project, Forward Security helped us with penetration testing. They again worked with our team and got access to our code. During this process, they performed tests and analyzed our platform. Then, they produced a report highlighting their findings, which also contained recommendations and strategies for dealing with the problems they found.

What is the team composition?

During our first engagement, we worked with three people from Forward Security. One person was in charge of the day-to-day technical work, and the other two were account managers who oversaw the process. As for our second engagement, we worked with four people from their team: two project managers and two technical people.

How did you come to work with Forward Security Inc.?

We got a grant from the federal government to improve our security. Through this granting process, they connected us with an intermediary company that interviewed us to know our needs. Then, they recommended and put us in touch with Forward Security.

How much have you invested with them?

We spent around $50,000.

What is the status of this engagement?

Our first engagement started in February 2020, and the second one in November 2021. This second engagement ended in April 2022.

What evidence can you share that demonstrates the impact of the engagement? 

The reports that Forward Security produced were very thorough and helpful, and they gave us a lot of good guidance. After our first engagement, I met with our technical team, and they were very impressed with their work. Based on that feedback, we decided to hire them for the second project. After the second project, our team reiterated that Forward Security’s work was very thorough and of high quality — they actually told me that they would like us to hire Forward Security for our next assignment.

How did Forward Security Inc. perform from a project management standpoint?

Forward Security’s project management went very well. They were on budget; we had no cost overages. Regarding timelines, they were also on point. They took them as long as we expected these projects to take and as long as they promised. We communicated via email and video conferences.

What did you find most impressive about them?

Forward Security delivered what they promised to deliver. Although I haven’t worked with other similar companies in the past, I know that not everyone is able to do that.

Are there any areas they could improve?

Not really, although it would have been great if Forward Security had spent more time understanding our business initially. 

Do you have any advice for potential customers?

Negotiate with them and go through their initial proposal in detail to understand it. If you have concerns about it, talk to them and ensure that everyone is on the same page.

Introduce your business and what you do there.

I’m the co-founder and VP of IT for Square One Insurance. We’re an online home insurance provider.

What challenge were you trying to address with Forward Security Inc.?

We hired them to do a security review of all of our systems, software, and networks. The main goal was to look for potential vulnerabilities and help us prioritize what we need to do to ensure the security of our infrastructure.

What was the scope of their involvement?

We started off the project with a series of meetings, where they asked us questions related to our codebase and practices. They then built up a document detailing all of that information before conducting manual and automated penetration test to confirm any potential vulnerabilities. They did all of this remotely. 

What is the team composition?

We worked with their chief security officer, director of engagement management and operations, and two application security consultants.

How did you come to work with Forward Security Inc.?

We previously engaged with a Canadian government program about a year ago, and that program linked us with Forward Security Inc.

How much have you invested with them?

We spent about $40,000 CAD (approximately $31,000 USD)

What is the status of this engagement?

We worked together on this project from July–October 2021.

What evidence can you share that demonstrates the impact of the engagement?

They came up with a detailed report that had a dozen of findings, which we immediately addressed. They also did an excellent job of sharing their knowledge and explaining things in layman’s terms. This allowed us to fully understand the underlying issues. 

How did Forward Security Inc. perform from a project management standpoint?

Their project management style was great. We communicated with them through Zoom and Microsoft Teams to get any feedback or updates and share documents.

What did you find most impressive about them?

They were very good at identifying issues without making us feel clueless.

Are there any areas they could improve on?

I can’t think of anything.

Do you have any advice for potential customers?

Make sure to dedicate the time internally to properly support their efforts; it takes both parties to ensure a successful outcome.

Introduce your business and what you do there.

I work for Safe Software. I’m the software product manager for the enterprise product. Our company produces FME, which is a data integration utility that specializes in spatial data.

What challenge were you trying to address with Forward Security Inc.?

We were aiming to address any security concerns in our application. We wanted customers to have confidence that FME is a secure product for their organization.

What was the scope of their involvement?

Forward Security has taken the server application and done application penetration testing. Since FME handles a lot of customer data, they’ve looked for any security holes or backdoor access to ensure it would remain safe.

Essentially, they’ve looked at all the different vulnerabilities in our software through custom workflows and scenarios and exploited them and the software. The deliverable is a list of all the vulnerabilities they found with details on how to reproduce each one. They’ve also analyzed it using industry-standard risk levels so we could prioritize them.

As part of the initial engagement, we created a design document of our architecture so they could understand it. After that, we’ve just updated the document together each year.

Additionally, Forward Security has provided off-site services and an hour of workshop training for our development team members. Moreover, they help us with the overall prioritization of tasks. They have the industry knowledge to help us gauge how important these things are.

What is the team composition?

We have 3–4 people on our team. Farshad (Chief Security Officer) is our main point of contact and team leader. We have another point of contact, but they’re more of a management director for the project.

How did you come to work with Forward Security Inc.?

We were looking for a company to provide application security testing. When we looked up, Forward Security was one of the top results and local. That was advantageous before the pandemic because they could come on-site.

How much have you invested with them?

It’s been around $25,000 CAD (approximately $20,000 USD).

What is the status of this engagement?

We started working on the current project in June 2021, and it’ll wrap up in October. However, we first engaged with them in 2017. We’ve worked together on short contract periods that last about three months.

What evidence can you share that demonstrates the impact of the engagement?

Ultimately, we wanted to know what was wrong with our product. They didn’t simply give us that list; they took the time to walk us through each item and make sure we understood the problem and how to fix it.

How did Forward Security Inc. perform from a project management standpoint?

They do a great job; it’s been a great process. They have a clear outline of what they’ll do and how it’s going to be done. We had an initial call with all their team, and they’ve given us a lot of time to ask any questions or clear anything up. The whole project runs smoothly, and we aren’t concerned about the deliverables or timelines.

We typically use email and virtual meetings through Zoom and Google Meets to communicate.

What did you find most impressive about them?

They exhibit a high level of knowledge in their field. Also, we know they’re honest and thorough. We can really trust their team.

Are there any areas they could improve?

We give them feedback, but we haven’t had any major issues, so nothing comes to mind.

Do you have any advice for potential customers?

It’s important to have a lead communicator and identify the technical lead from your side. Also, communication should be smooth and consistent, and you should review the scope of work and take time to make sure you understand it.

Introduce your business and what you do there.

I’m the information security team lead for the company. I report to the director of support and security. We’re an outdoor retailer that provides the ability for Canadians throughout Canada to take advantage of the benefits of getting outside and being involved in outdoor activities.

What challenge were you trying to address with Forward Security Inc.?

We were looking to address security vulnerabilities around our website. We hadn’t done any prior penetration tests on it. We wanted to assess the security of our website and what improvements we need to make. Recently, we switched hosting providers over to AWS. We engaged with Forward Security Inc. to assess our website on the new hosting platform.

What was the scope of their involvement?

Forward Security Inc. did a level two application security risk assessment and a cloud security risk assessment in the AWS environment. The work was split into two stages. The first stage was testing our QA environment, and the second stage was assessing our production and post-production environment.

What is the team composition?

We worked with 2–3 individuals from Forward Security Inc. including, Farshad (Chief Security Officer) and Adam (Application Security Consultant) — he was the main penetration tester that worked with our web team to uncover issues and identify security vulnerabilities.

How did you come to work with Forward Security Inc.?

My manager and director had worked with Farshad in the past. I met Farshad from prior courses. I took a diploma course and a bachelor’s degree at a technical institute, where Farshad taught a security course. We also looked at other companies regarding security penetration services. However, we went with Forward Security Inc. based on past experience.

How much have you invested with them?

We spent around $33,000.

What is the status of this engagement?

We worked together during the middle of COVID-19, from August–November 2020.

What evidence can you share that demonstrates the impact of the engagement?

We measure our success in terms of passing through time spent researching and identifying security vulnerabilities and potential use cases for security breaches. They helped our team identify malicious attempts that could’ve led to a breach on our website.

We’re a retail company and a lot of our business dealings depend on our image. Therefore, a security breach on our website would be a very big concern for us. If there was an impact on our image, it would affect our sales and customers.

They’ve saved us a few weeks to a few month’s worth of time searching for vulnerabilities. Cost-wise, they’ve helped us protect our company against security breaches, which can be very costly in the long run.

How did Forward Security Inc. perform from a project management standpoint?

We had a Slack channel for our web team and Forward Security Inc. to communicate and have weekly meetings. We also set up additional meetings if needed. They kept in touch every week with reports on their findings on our websites. Forward Security Inc. was very accommodating, and they handled the project very well.

What did you find most impressive about them?

Forward Security Inc.’s work ethic was the most impressive aspect of their performance. They continued finding new issues and kept in touch with us while driving the project.

 They are very thorough, and they document everything. If you don’t know your systems inside and out, they’ll work with you to identify and understand your systems. Farshad and Adam had a lot of prior experience and could relate 100% to our environment. They identified potential avenues of attack. Forward Security Inc. knows its business.

Are there any areas they could improve?

The documentation is a double-edged sword. Working with security, you need to have the documentation of your systems for you to understand what they’re doing and identify unexpected and potential malicious behavior. However, we received a few comments from our team members about the amount of documentation that was being generated.

Any advice for potential customers?

Be open to Forward Security Inc. and don’t come in with a closed mindset. Be open to uncovering potential issues that you or your team had never thought of or seen before.

Introduce your business and what you do there.

I’m the senior enterprise security architecture, and I’m in charge of the security program protection desk.

What challenge were you trying to address with Forward Security Inc.?

One of our compliance requirements and something that our internal policy mandated was an annual penetration test. It was an assessment or a web application pen test on our main app. We were using a number of different services, but we wanted to consolidate and run a bigger activity. We hired Forward Security Inc. as our application specialists to help us with the assessment.

What was the scope of their involvement?

We came to Forward Security Inc. without any information upfront. They took a look at our web app to start a scoping exercise pre-contract. Forward Security Inc. had good questions, and they were proficient at helping us scope appropriately. We had a number of budget concerns to stay with under a certain market, and they were able to find a way to drop a statement of work (SoW).

We sent the SoW, and it led to a kick-off meeting where we set out the expectations and defined the one-month period workflow. After that, Forward Security Inc. proceeded to conduct the testing that we supported in the call. They worked with us during that process to both map out the security landscape of the app and confirm any findings. 

Finally, Forward Security Inc. delivered a final report of the findings. They gave us insights into the possibilities and weaknesses of not only the app, but also the approach and management that we had.

What is the team composition?

We’ve worked with 5–6 people throughout the entire project. Forward Security Inc. brought in people with expertise as needed. Mainly, we had one project manager, one penetration tester, and a few other consultants. 

How did you come to work with Forward Security Inc.?

We did a competition — it was like a small quick contest — between local firms in Vancouver for a new feature that we were rolling out last year. Forward Security Inc. was selected to handle the project. We decided to hire them as our primary security consulting company going forward based on their performance.

How much have you invested with them?

We spent around $55,000–$60,000 CAD (approximately $44,000–48,000 USD).

What is the status of this engagement?

We worked with Forward Security Inc. between August 2020–January 2021. We will be working again with them next January for other similar projects.

What evidence can you share that demonstrates the impact of the engagement?

The development process was our initial engagement, and we were very happy with the results and the approach Forward Security Inc. took. It was much more hands-on and involved compared to the previous company we worked with, and they provided better clarity into the nature of the problems and fixes that needed to be done. For the last round, we were pleased with the seriousness of their work and delivered results.

We had a lack of internal documentation, which held back the project. Forward Security was excellent in developing the required documentation. That was great. They were able to point out a number of vulnerabilities and weaknesses within our application and internal management approach.

How did Forward Security Inc perform from a project management standpoint?

The communication was great and well-established. Forward Security Inc. created a shared Slack channel with us to have direct communication with the testers all the time. We also had weekly touchpoints.

Forward Security Inc. used a platform called Burp Suite for penetration testing. They also had experts on our codebase, which was Ruby on Rails. I thought they used a number of open-source tools, but I couldn’t remember the names.

What did you find most impressive about them?

Forward Security Inc. invested in the personal relationship with our business, and it was reflected in their approach. They set up a long-term partnership to understand our security problems better, and as a result, deliver better value.

Adding on to that, Forward Security Inc. used a standardized approach, and it was easier to be integrated into our day-to-day operations. It also helped us understand how they came up with their conclusions and consume the information they produced.

Are there any areas they could improve?

Forward Security Inc. could improve on streamlining the logistics of the documentation, template, and technology. We felt some documents weren’t as well-organized as they could have been. That caused technical issues when we collaborated on them, and it was hard to maintain the document's version.

Any advice for potential customers?

I recommend being prepared to share with Forward Security Inc. as much information as people can. It’s very beneficial to their partnership-style approach. Otherwise, if people share less information, they won’t receive as many benefits as when they are strongly committed to the partnership.

Please describe your company and your position there.

I'm the CTO of our company. We're at about 100 employees and have a publicly-facing web application.

For what projects/services did your company hire Forward Security Inc.?

We hired Forward to perform a security audit of our system and to provide basic security training to some of our development staff.

What were your goals for this project?

Perform an annual security Assessment according to OWASP top 10 and ASVS level 2. Training sessions for developers

How did you select Forward Security Inc.?

We had previously worked with them, were happy with the results and came back for our annual security engagement.

Describe the project in detail.

The project was to pefrom a security audit and penetration test. This was done with our internal security lead who setup a special environment for the team to perform the tests against. Aside from that, our training was a day-long session about the OWASP common vulnerabilities.

What was the team composition?

The project manager and 1/2 security engineers depending on specific task. More were available for the training session.

Can you share any outcomes from the project that demonstrate progress or success?

The team definitely found some potential vulnerabilities we had not accounted for. It was quite thorough and the report they generated gave us plenty to fix. The training session was also fun and interactive. Our company got a lot out of it.

How effective was the workflow between your team and theirs?

Worked well, making a separate production environment really enabled them to try and break our systems while leaving our main production intact.

What did you find most impressive about this company?

The vulnerabilities they found were things we would have never thought about and they found attack vectors that we had not previously planned on.

Are there any areas for improvement?

n/a

Introduce your business and what you do there.

I’m the director of operations at MED49, a healthcare provider software company.

What challenge were you trying to address with Forward Security Inc.?

We are going to apply for a certification from the Ontario Regularity Body. That certificate is called Ontario MD, and it requires us to have an ISO 13485 certificate. For the certificate, we needed a written risk assessment from a professional third-party company. Additionally, for the Ontario MD, we needed a cloud security assessment since our software sits on the Microsoft Azure system. We needed a company to help us with this written risk assessment including the penetration test and the cloud security assessment.

What was the scope of their involvement?

The first phase of the project included two main parts. The first was the threat and risk assessment, which includes identifying all possible security issues or breaches with our software. The second part was performing penetration testing using manual techniques and other software. They played the role of hacker to see if they could access our patients’ information. Afterward, they delivered a report that consisted of their assessment and results. It broke issues down by level: high risk, medium risk, and low risk.

The security assessment made up phase two of the project. It was related to the security of the Microsoft Azure environment that supports our software. They evaluated the configuration we use to upload our software into the cloud server and then developed a report detailing any issues and risks associated with that.

What is the team composition?

I worked with four people. Starting out, Farshad (Founder) provided us with the scope of work and everything related to the project. I also worked with Mathieu (Director of Engagement Management & Operations), Ralph (Application Security Consultant), and one other person.

How much have you invested with them?

We spent around $10,000–$49,999.

What is the status of this engagement?

We worked together from May 2020–January 2021.

What evidence can you share that demonstrates the impact of the engagement?

We got exactly what we wanted. The important thing for us was to have the report and the results accepted by the ISO 13485 standards. We obtained our ISO based on the results that we got. We’re very happy with what was provided. I give them a 100% on the project.

As an electronic medical records software company, we have to repeat our threat risk assessment (TRA) every year, and we’ve already decided we’re going to work again with them.

How did Forward Security Inc. perform from a project management standpoint?

They were very good at taking the lead on the project. Email was the main communication medium for us, and we also used Slack. If we weren’t responsive, they followed up. Forward Security made sure the project was going smoothly. They met the deadlines.

What did you find most impressive about them?

They were very friendly while also being very professional. One time, we had a three-week deadline from ISO. I talked to them to see if they could prioritize our reports, and they worked weekends and extra hours to make sure we met the deadline.

It was very easy to talk to Forward Security. They’re very understanding, and they went beyond their responsibility to make sure we met deadlines.

Are there any areas they could improve?

Email is easy, but perhaps Forward Security could offer an online account where customers could see their project.

Do you have any advice for potential customers?

They’re very responsible in taking the lead on projects. If someone wants to work with them, they shouldn’t have been concerned. If you’re responsive enough in providing the information that they need, they won’t have any problems.

Introduce your business and what you do there.

Neo Financial is a Canadian fintech company. We provide everyday banking services in Canada and we employ a few hundred people. I’m one of the co-founders of the company and the head of product and engineering. 

What challenge were you trying to address with Forward Security Inc.?

We’ve engaged Forward Security as a consulting company to provide us with advice on how to improve our digital security. In addition, we’ve collaborated with them to examine and audit products that we’re building as well as the security measures we put in place to make sure they are world-class. 

What was the scope of their involvement?

When we reached out to them, we already had a specific engagement proposal. In their case, their focus has been to evaluate the security of our mobile apps. 

We typically go through a question and answer session where we share information with them about our product, how we built it, how they were designed, and what's the goal of our products. After that, they come back to us and propose a statement of work. For example, with our mobile apps, they’ve done various things including a security assessment, security testing, and more. 

What is the team composition?

They have a team of about five security engineers. I’ve also worked with their CTO and he has driven some of the engagement and made sure that the overall plan and strategy is solid. We usually talk one on one with every person on their team. 

How did you come to work with Forward Security Inc.?

We knew we wanted to engage a third-party security company with a history in the banking and financial space. We wanted them to be in Canada and they should have a hands-on approach. 

When we started researching options, Forward Security came up together with an approximate list of 10 other companies. Aside from “investigating” them, we also talked to them and filtered down the list to three firms. 

What is the status of this engagement?

We probably started around September 2020, and we’re still working together.

What evidence can you share that demonstrates the impact of the engagement? 

We’ve been satisfied with their projects, and we’re now on our third engagement. I’m very happy with their work and the value they’re providing. 

A lot of companies in this space don’t really listen and talk with their clients, and they don’t ask questions. Some of them are not very engaged with their client’s business as well. They’re only focused on running some software or automated tool where they’ll be scanning products and the tool just submits a report. 

However, Forward Security is the opposite. They have a hands-on approach and they ask questions. When we give them answers, they have follow-up questions and digs deeper into what we want. 

How did Forward Security Inc. perform from a project management standpoint?

Their project management and communication is first class and I couldn't ask for it to be better. Before starting a project, they quote the price and place an engagement kickoff date. Once we agree to the team's proposal, we start the project and share the product with them. 

We usually have weekly meetings, but it heavily depends on their scope of work. They’ve consistently submitted reports concerning the updates and state of their assessments. The team makes sure that when they present the reports, they walk us through every item to make sure we understand everything. 

Some of the reports are risky and some are not, but what’s important is that Forward Security gives us advice on how to best address those risks. Then, once we know about it, we go to our product and engineering teams, and they roll out future versions of our products. We’ve really performed updates and improvements based on their advice. 

What did you find most impressive about them?

They have a great process for engaging their customers. Forward Security is transparent throughout every progress they make. Additionally, they make sure that we’re happy as the project continues.

Their deep understanding and experience in the financial sector have been impressive. I can’t speak to other industries, but they know digital security and understand financial software systems and technology, which have been really valuable to the engagement. 

Are there any areas they could improve?

They deliver good value, but perhaps they can give a lower price. We’re on our third engagement now, but I’m not sure that we’ve been necessarily carrying the knowledge forward. It might be a good idea to know a lot of information about our company and products. Perhaps, they can also help us shorten the next engagement and be more efficient, but honestly, it’s a very minor thing. 

Do you have any advice for potential customers?

If you’re looking for a quick solution that does the minimum and just checks the boxes, then maybe you should not engage with the team. Forward Security is serious about getting honest and providing highly technical feedback. If you really want a team that will dig in and adds value to your security team, then work with Forward Security. They’re a great company to work with.