Your pragmatic cybersecurity partner
Overview
In 2019 we founded Iterasec with a vision to support tech and engineering companies with holistic security services: addressing software/product security, organisational security and compliance.
We want our clients to focus on their business and growth, while we aim to take care of security, which nowadays is quite a complicated topic requiring multidisciplinary and costly staff. We believe that doing it as a service is a better option for many SMEs.
Why we stand out:
– Practical attacker-minded and resilience-oriented security approach
– We understand engineers and product development: we know how to prioritize security and how to efficiently train engineers
– Excellent delivery management: on time, clear communication, proactive. Underpromise, overdeliver.
At the moment we are a boutique-style company of 10+ people and successfully completed over 50 projects in different domains: automotive, fintech, software engineering.
Our key services:
– Software vulnerability assessment and penetration testing
– Network pentest
– Introducing Secure SDLC for teams via Threat Modeling
– Cloud and containers security audits
– ISO 27001 / SOC2 / HIPAA / GDPR guided implementation and support
Focus
Recommended Providers
Portfolio
Shift-left security: The Basics of Threat Modeling
Shift-left is becoming a more and more popular approach to introduce security into software development.
A common problem with shift-left security is that a lot of people talk about it and it’s a nice concept, but there are very few successful implementations. Teams simply don’t know where to start Secure SDLC.
At Iterasec, we believe that threat modeling (brainstorming abuse scenarios that can happen with your product or assets) is the foundation to build efficient security.
In our blog post we explain the basics of Threat Modeling and how it can be implemented: https://iterasec.com/shift-left-security-the-basics-of-threat-modeling/
Providing Remote Security Team for an IT Company
Client
IoT and Software development company
Goals
The company initially reached out to us for consultancy services in implementation of the ISMS and ISO 27001 certification.
Solution
Iterasec started with building efficient ISMS in the company, that is both fulfilling ISO 27001 and at the same time is lightweight and efficient in practice.
Apart from the traditional ISO 27001 Annex A controls, Iterasec also focused a lot on building an efficient Secure Development Policy for the company. As a part of these activities, Iterasec performed multiple specialised security training sessions to the engineers and quality assurance specialists.
After receiving ISO 27001 certification, Iterasec integrated with the company even more closely. At the moment Iterasec provides a number continuous service:
- Supporting ISMS and acting as Virtual CISO
- On-demand compliance support (such as GDPR issues)
- Application Security: integration in several client development projects, pentests, secure development lifecycle, DevSecOps
- Providing various security trainings to the engineering and data science teams
Result
The company can focus more on clients and engineering expertise. By closely integrating with the company, Iterasec provides all the benefits of the in-house security team, while costing much less both in terms of money and operational efforts.
Penetration Test for an Edutech Web Application
Client
Edutech startup
Goals
The client wanted to evaluate the current state of security of a special corporate training & education platform. The system is used across many large companies and enterprises, hence the client wanted to be sure there are no severe vulnerabilities in the application.
Solution
During the project, Iterasec performed an application-level pentest using OWASP ASVS methodology. All the findings were summarised in the final pentest report along with the recommendations.
Iterasec supported the team in fixing security issues and ensured security fixes were applied correctly.
The team consisted of 1 Senior Penetration tester, 1 Security Engineer and 1 Delivery Manager.
Result
The pentest identified 1 Critical-, 2 High-severity and a number of lower severity vulnerabilities that could have been exploited by attackers.
As a result, all these issues were patched and the new product version released.
The development team also got some interesting security experience along the project. After the project, Iterasec also provided a small complimentary Application Security training for engineers and QAs.
Reviews
the project
Cybersecurity for Software Development Company
"We appreciated that they provided a high level of suggestions and audit, which was what we needed at this stage."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I'm the co-owner and CTO in the software development company building digital products for media and public sector
For what projects/services did your company hire Iterasec?
We were looking for an external cybersecurity company to perform the audit of our SaaS products codebase and infrastructure, to ensure that we don't have critical issues.
How did you select this vendor and what were the deciding factors?
Vendor has conducted security workshops on OWASP and secure SDLC for Innocode in the past, we have provided vendor with requirements and specifications and received qualified offer.
Describe the project in detail and walk through the stages of the project.
Innocode has initiated two security testing projects to verify the security of the Innocode product platform, both from the application and infrastructure points of view. The first project, application pentest, has been performed in a grey-box way, i.e. with available documentation access without source code.
The second project, cloud and container security audit, has been performed in a white-box way, i.e. had full access to the Platform's GCP infrastructure in a viewer mode. The main project deliveries were two reports with a detailed list of security findings discovered and recommendations on how to remedy such threats.
Both reports also provide high-level recommendations and strategic areas for security improvements. They performed the security audit for all our SaaS web and mobile products, by the following guidelines and standards:
• OWASP Application Security Verification Standard
• OWASP Mobile Security Verification Standard
• OWASP Web Security Testing Guide
• OWASP Mobile Security Testing Guide Stackdriver Monitoring
• OWASP Risk rating methodology
• Common Vulnerability Scoring System v 3.0
• OWASP Top 10 Privacy Risks
• OWASP Top 10 2017
• OWASP Top 10 2021
• OWASP API Security Top 10 2019
• Center for Internet Security (CIS) Google Cloud Platform Foundation Benchmark version 1.1.0
• Center for Internet Security (CIS) Google Kubernetes Engine (GKE) Benchmark version 1.1.0
• Google Cloud Security Foundations Guide (April 2021)
• USA's National Security Agency (NSA) Kubernetes Hardening Guidance (August 2021)
As for the infrastructure: The following tools were used as well as manual checks processed using Google Cloud Console/Cloud Shell:
• GCP CIS 1.1.0 Benchmark Inspec Profile
• GKE CIS 1.1.0 Benchmark Inspec Profile
• kube-bench
• Kubescape
• GitLab Red Team GCP audit tools
How many resources from the vendor's team worked with you, and what were their positions?
We had an Iterasec SEO and 2 security engineers
Can you share any outcomes from the project that demonstrate progress or success?
They were able to identify far more risks comparing to our internal routines, and also pointed out few configuration flaws on the tools that we use. Also they have provided us with 2 workshops on threat modelling and secure SDLC
How effective was the workflow between your team and theirs?
They kept us updated all the time, we received reports in time.
What did you find most impressive or unique about this company?
We appreciated that they provided a high level of suggestions and audit, which was what we needed at this stage.
Are there any areas for improvement or something they could have done differently?
All is good
the project
Cybersecurity for SaaS Company
"They are easy to approach, knowledgeable, and strive to deliver quality solutions."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I'm CTO at Open Social, a top-tier SaaS company. Open Social is specialized in online community and membership management solutions.
For what projects/services did your company hire Iterasec?
We wanted to get ISO 27001 certified. Iterasec helped us to plan, prepare and act to create a fully functioning Information Security Management System and be ready for an external audit.
How did you select this vendor and what were the deciding factors?
We've been looking at a good consulting party. One of our trusted partners worked with Iterasec and was very happy with them. After one or two talks we decided to go with Iterasec as they appeared to be knowledgeable and professional.
Describe the project in detail and walk through the stages of the project.
The prepared with us the plan to get certified, including timelines, milestones, etc. Every week we were doing status update meetings, they would review the work we did and help us with good examples. Additionally they helped us with asking the necessary questions to get us to understand how certain items would match with our specific company structure and culture. Iterasec also performed the internal audit in which they raised several issues that we fixed together. They also prepared and gave security workshops for our engineers and we're planning a pentest with them to be done in the coming weeks.
How many resources from the vendor's team worked with you, and what were their positions?
The CEO was our main point of contact, but was supported by someone that was trained as an auditor.
Can you share any outcomes from the project that demonstrate progress or success?
We've recently had an accredited auditor assess our ISMS during the external audit. Improvements were raised, but no nonconformities were discovered. For us this was a huge success and showed Iterasec's expertise as they already found all our issues in the internal audit.
How effective was the workflow between your team and theirs?
The communication was quick and professional. We had status update meetings weekly, where necessary twice a week. They were in our Slack channel, which also gave the feeling they were part of our team.
What did you find most impressive or unique about this company?
They are easy to approach, knowledgeable, and strive to deliver quality solutions. I personally learned a lot from Iterasec and I've really enjoyed working together.
Are there any areas for improvement or something they could have done differently?
None that I can think of. We've worked closely together over the last 9 months and it's been a smooth ride.
the project
Cybersecurity for IT Outsourcing Company
"Their easy communication and responsiveness during the tests were impressive."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I am IT Lead in an IT Out-stuffing company.
For what projects/services did your company hire Iterasec?
To perform an annual penetration test.
How did you select Iterasec and what were the deciding factors?
We searched for cybersecurity companies and after having several calls, we chose Iterasec based on their experience and service package.
Describe the project in detail and walk through the stages of the project.
They performed a penetration tests of our infrastructure (several locations) as well as our web, mail and VoIP servers. After the tests they delivered detailed report and provided a list of recommendations.
How many resources from the Iterasec team worked with you, and what were their positions?
We had a project manager, security analyst and a penetration tester.
Can you share any outcomes from the project that demonstrate progress or success?
Iterasec identified more risks than our internal tests did. Provided recommendations were detailed and helpful.
How effective was the workflow between your team and theirs?
They kept us updated all the time. Reports are easy to understand.
What did you find most impressive or unique about this company?
Their easy communication and responsiveness during the tests were impressive.
Are there any areas for improvement or something they could have done differently?
N/A
the project
Cybersecurity for Mobile & IoT Development Company
"The communication was very constructive and frictionless."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I am the CTO and Co-founder of a Mobile and IoT development company headquartered in Lviv, Ukraine. Our company has 100+ employees and we serve European and American markets with clients in the US, Germany, the Netherlands, UK, Norway, France, Switzerland
For what projects/services did your company hire Iterasec?
Our company had a strategic initiative to obtain ISO 27001 and ISO 9001 certifications. We decided to involve Iterasec company as our information security experts to help us build up a mature ISMS and eventually get our company certified
How did you select Iterasec and what were the deciding factors?
We wanted to develop a mature ISMS and obtain ISO 27001 and ISO 9001 certification. The challenge for us was not just to make ISO 27001 a paper tiger, but also to practically improve our security processes and security awareness of our employees. We had a positive previous experience cooperating with Iterasec in other security-related projects
Describe the project in detail and walk through the stages of the project.
The project consisted of several phases and ongoing support. The main phases were: planning, implementation, internal audit, and correction. Iterasec also helped us to coordinate the certification process with ISO 27001/9001 authorized auditor. There is also ongoing support in the Virtual Information Security Manager mode
How many resources from the Iterasec team worked with you, and what were their positions?
The team consisted of 2 specialists: a Virtual Information Security Manager and a Project manager
Can you share any outcomes from the project that demonstrate progress or success?
Within 9 months we were able to build a strong ISMS basis: established risk assessment process, performed employees ISMS training, made an internal audit and correction iteration and prepare ourselves for the certification. We also implemented/improved a number of ISO 27001 security controls and ISO 9001 quality controls
How effective was the workflow between your team and theirs?
Iterasec acted as our Virtual Information Security Team. The communication was very constructive and frictionless.
What did you find most impressive or unique about this company?
They had a good combination of practical security compliance experience and excellent project delivery
Are there any areas for improvement or something they could have done differently?
All in all we were satisfied with the project quality and overall experience
the project
API Penetration Testing for Fintech Company
"The team showed a keen interest in understanding our business."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I'm the director of security at Securrency. We are a US and UAE based technology company focus on compliance and policy enforcement, and interoperability of legacy systems and new technologies such as blockchain and smart contracts.
For what projects/services did your company hire iterasec?
We were looking for cybersecurity experts who can help us with assessing the security of our API endpoints. We wanted to identify security flaws that can lead to potential compromise.
How did you select this vendor and what were the deciding factors?
We had approached multiple vendors and had performed security assessment and analyses the quality of the findings and the testing methodology.
Describe the project in detail and walk through the stages of the project.
The team had detailed interaction with our development and business team to gain understand of API and the business functionality. This helped them in identify both technical and business logic flaws. The had shared a detailed report with findings and mitigations. they also worked with our QA team to develop test cases to identify the flaws in future code and detect it in our QA tests.
How many resources from the vendor's team worked with you, and what were their positions?
Two penetration testers and a project manager.
Can you share any outcomes from the project that demonstrate progress or success?
We had worked with multiple vendors in the past and found the issues/flaws reported to be of value and importance.
How effective was the workflow between your team and theirs?
We had frequent communication via dedicated teams' channels.
What did you find most impressive or unique about this company?
The team showed a keen interest in understanding our business. This helped identify critical business logic flaws.
Are there any areas for improvement or something they could have done differently?
No
the project
Threat Modeling for Digital Ordering Solution
"The communication with the Iterasec team was constructive and clear."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I am the CEO of a Germany-based company specializing in security solutions and mobile development. Since 2001 the company has been focusing on mobile technologies starting from the earliest smartphones.
Our primary area of expertise is secure mobile development: we help customers protect their mobile solutions. The company’s customer portfolio includes governments, automotive brands, telecom, military, and other industries.
For what projects/services did your company hire iterasec?
When we start a new project we perform threat modeling as a first step of the shift-left security paradigm. In one of the new projects, we decided to perform threat modeling independently by another company. Hence we decided to engage Iterasec to support us in these activities.
What were your goals for this project?
The goal of this project was to brainstorm on the threats applicable for this type of product, evaluate risks and design respective countermeasures.
How did you select iterasec?
We had a good experience working with Iterasec colleagues on some other security projects in the past.
Describe the project in detail.
The project consisted of several workshops, where Iterasec specialists performed threat modeling sessions with the dev team. They also jointly evaluated risk levels and suggested countermeasures.
What was the team composition?
The team consisted of 2 specialists: a senior application security consultant and a project manager.
Can you share any outcomes from the project that demonstrate progress or success?
The results exceeded our expectations: we encountered misuse and hacking scenarios that the development team hasn’t thought about before the threat modeling sessions.
As a result, we were able to include remediations in the product design from the very beginning.
How effective was the workflow between your team and theirs?
The communication with the Iterasec team was constructive and clear.
What did you find most impressive about this company?
We were impressed by the way they think from a hacker’s perspective, this allowed the development team to better understand security risks.
Are there any areas for improvement?
All in all, we were satisfied with the project quality and overall experience.
the project
Cybersecurity Audit for SaaS Company
"They were able to work on our schedule."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I’m a developer of a web-based Saas product
For what projects/services did your company hire Iterasec?
We were looking for a cybersecurity company to perform a routine audit of our site and SAAS product
How did you select this vendor and what were the deciding factors?
I wasn't involved in this process
Describe the project in detail and walk through the stages of the project.
They performed a thorough security audit of our product
How many resources from the vendor's team worked with you, and what were their positions?
We had a project manager, a couple of security analysts, and a couple of pen testers
Can you share any outcomes from the project that demonstrate progress or success?
They were able to identify some vulnerabilities that we were then able to sprint and resolve. Our product is better for having gone through this process.
How effective was the workflow between your team and theirs?
They kept us updated through each round of testing and sent us weekly status updates.
What did you find most impressive or unique about this company?
They really went in depth
Are there any areas for improvement or something they could have done differently?
Nothing offhand right now
the project
Penetration Tests for Web & Mobile Dev Provider
"They showed us a look from another perspective."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
We are web application development company. My position is PM
For what projects/services did your company hire iterasec?
The challenge was to find security vulnerabilities in the project and improve security protection
What were your goals for this project?
- Conduct penetration test
- Improvements consultation
How did you select this vendor?
They came across as real professionals, so that was easy
Describe the project in detail.
We hold a kick-off meeting at the beginning and provide some useful tips of the project structure. Provided access to the servers and to the application were the penetration test was holded
What was the team composition?
2 professionals - Penetration tester and manager
Can you share any outcomes from the project that demonstrate progress or success?
The result was really great. We received a huge report with a prioritized list of vulnerabilities.
How effective was the workflow between your team and theirs?
The communication was easy and effective
What did you find most impressive about this company?
They showed us a look from another perspective.
Are there any areas for improvement?
-
Iterasec impressively identified threats, especially configuration vulnerabilities. Therefore, they provided pieces of training regarding threat modeling and the SDLC process. The team always kept everyone updated and reported in a timely manner. Overall, their prowess in auditing stood out.