At PDQ, our motto is simple, secure, and pretty damn quick. We knew Connect had the “simple” and “pretty damn quick” boxes checked off the list, and we were pretty sure it was also secure. But in security, pretty sure is never enough. We needed to look at the product from all angles and find verifiable proof that it was secure.
That’s where our senior SOC analyst, Rachel Coleman, came to the rescue. In collaboration with Josh Mackelprang, Director of Service Operations, Rachel oversaw security testing to ensure Connect was ready for the market. We’ll explain her approach and testing techniques.
Trust is the foundation of everything we do. After all, we make products with control over internal infrastructure. And those products are used by sysadmins with a deep understanding of cybersecurity and an eye for spotting solutions that just don’t stack up. We’re well aware of the fact that you’re not going to buy a device management solution from a trench-coat-wearing delinquent in a back alley. (Although, our side hustle selling Rol.exe branded watches is going swimmingly.)
“You want to be able to have your customers trust you and know that this product is going to be secure,” Rachel said. “Not only that the company can't touch their stuff, but also bad actors.”
With a cloud-based product, trust is even more critical since all the security heavy lifting falls on PDQ.
"The whole benefit of the cloud is that somebody else is securing and hosting it for you, but you also want to know that they're securing it well. We wanted to be able to tell our customers that we have done our due diligence in making sure the product is secure.”
Taking a proactive approach to security
Preventing problems is always better than responding to them. Rachel embraced a proactive approach to security, utilizing an array of testing techniques to look at Connect from different angles before it reached the public so that there wouldn’t be any surprises.
One of the most influential types of assessments Rachel oversaw was purple team testing. Connect used two purple team tests: one for PDQ’s internal network and another for the product itself.
A purple team test uses both a red team and a blue team working in conjunction to simultaneously attack and defend. The red team simulates common tactics, techniques, and procedures (TTPs), and the blue team works to stop them. This effectively pinpoints potential risks and security gaps while assessing the maturity of our detection and monitoring controls, adherence to the incident response (IR) plan, technical analysis capabilities, and internal communication. Basically, it’s like watching an attack play out in real time but with lower stakes and less nervous sweating.
In addition, PDQ used other techniques, such as continuous internal vulnerability scanning, scheduled external vulnerability scans, penetration tests, and code review, to gather both broad and granular insight into Connect’s security.
According to Rachel, “There were a lot of steps that we in security had to go through to make sure we were comfortable with the tool going out.”
To get the most out of our security tests, we worked with well-respected vendors, like Orca Security, Beagle Security, SecurityMetrics, and Rapid7. (We tried to find more animal-named products to start our own security zoo, but it didn’t pan out.) Their services helped us get an outside perspective on the product and make sure we hadn’t overlooked anything.
While we did a lot of security testing up front to get PDQ Connect ready for the big dance (aka launch), we’re not going to just push it out into the world and hope it continues to thrive. The security landscape is constantly changing, and Rachel will continue to stay on top of the latest threats and test Connect to make sure it lives up to its potential.
PDQ Connect has a long future of assessments to look forward to. Between round-the-clock monitoring from PDQ’s security operations center (SOC), continuous internal and scheduled external vulnerability scanning, yearly penetration testing, and continued code review, we’ll never leave Connect alone. And that’s a good thing for our customers’ security postures (and our own identity as a company).
As Rachel put it, “Our motto is simple, secure, and pretty damn quick. If we're not secure, then we’ve got a problem.”