TL; DR: After establishing its experience and credibility with a central website for sharing the newest security threats, Beyond Security has spent nearly two decades perfecting tools that identify security weaknesses in networks, applications, software, and websites. The company’s automated scanning engine and testing library helps both rookie site owners and Fortune 500 corporations find vulnerabilities in their code and infrastructure. Beyond Security lends its expertise to website owners for free, offering no-cost weekly or monthly security scans and reports.
Despite what you might think, website security threats have largely stayed the same — and there are fewer than you’d expect.
Although new vulnerabilities might be discovered weekly in applications and operating systems, Beyond Security Chief Operating Officer and Chief Marketing Officer Brian Pearce said websites are prone to only between 20 and 30 standard vulnerabilities.
“The basic code of a website doesn’t change that much, and things like languages are fairly well locked down,” he said. “The problems are not new or different.”
Those weaknesses, however, can expose website owners or their visitors to malicious attacks. Beyond Security offers tools for customers to scan their website, applications, web servers, or networks for exposed weaknesses — and extends the tools by giving free recurring scans on your first website through ScanMyServer.
Usually, there are relatively few issues to solve. According to Brian, most customers might have a couple of major issues to fix within a few weeks and a handful of more moderate concerns that can be addressed over a longer period of time.
“It’s not a giant task that one is necessarily opening up when they want to test a website,” Brian said. “It’s the sort of thing you can fit into your work schedule. It’s mostly a matter of getting people to take that first look, open the door, take a look, and see what’s inside.”
Free Security Scans Promote a Safer Internet for All
Appealing to first-time site owners and small businesses lacking technical expertise, Beyond Security makes its enterprise-grade scanning engine and testing library available for free to site owners through ScanMyServer.
“We have this system that has a huge capacity for scanning just sitting there, so we figured why not introduce people to it with a free scan of their website,” Brian said. “It’s a promotional action, but it’s also something we feel is valuable to reduce the general level of noise on the internet. It’s a safer system out there for everyone if even a few problems are identified and resolved.”
ScanMyServer will test sites for weaknesses, including cross-site scripting, SQL injection, code injection, or remote file inclusion, and will rescan the website weekly or monthly.
“The idea is to give as many people as possible the tools necessary to do this kind of work,” Brian said. “It’s just a general improvement of the internet in our own small way. We’re not changing the world here, but it is something readily available for us to share.”
How Beyond Security Identifies and Helps You Address Vulnerabilities
In addition to novice site owners, Beyond Security’s customers scale all the way to Fortune 500 corporations. For example, a large European bank uses Beyond Security’s AVDS network and application scanning platform to examine 4,000 external websites and IP addresses each month.
1. Test Library and Engine Scans Website Code and Infrastructure
Beyond Security’s tools can cover such a wide range of companies and industries because networks and applications typically rely on the same types of operating systems and infrastructure, according to Brian.
“Networks large and small use a lot of the same functionality,” he said. “There is a certain, expected set of usual pieces or components to a network. Once we put together a library that covers the range of equipment or operating systems you find on the network and applications, then the size of the company or the industry is not very material.”
The scanning engine and test library, which Beyond Security started in 1999, maps the network or application’s security and simulates internal and external attacks designed to expose weaknesses.
2. Industry-Leading Accuracy Cuts Down on False Positives
According to Brian, accuracy in vulnerability reports is of the utmost importance — particularly for customers looking for Beyond Security to help them reach and maintain compliance with security regulations, including PCI, HIPAA, and FERPA.
“What we do is make sure if we’re reporting on a vulnerability, we’re really, really sure it exists,” Brian said. “That person using our tools can be certain that it is there, and we’re not giving them the runaround.”
Most vulnerability assessment tools simply check identifying information, such as version numbers, and assume the known weaknesses are present. Beyond Security, however, tests a device or application’s behavior to account for a user’s customized solutions. AVDS, which uses the same scanning engine and test library as the web application scanner, reports a false positive rate of 0.1%.
“The false positive issue is an important one in the industry,” Brian said. “You want to maintain customer confidence in the tool and because you don’t want them spending a lot of their man-hours chasing around things that don’t exist.”
3. Detailed Reports Help Site Owners Do Their Own Repairs
Once the scanning is complete, the Beyond Security service generates a report that details each vulnerability’s severity and potential impact, as well as general steps on how to resolve the problem. When available, the report will also link to third-party reference materials or patches.
“Someone who is building their own website will have sufficient gumption and knowledge to do their own repairs based on the instruction we provide,” Brian said. “We find that we have very few situations where a person comes up with an issue that they weren’t able to resolve.”
Coming Soon: Moving Beyond Vulnerability Testing and Into Repairs
According to Brian, Beyond Security is working to become more than just a testing and scanning tool. In the coming months, the services will identify the issues — and then proceed to fix them.
Many routine fixes Beyond Security could cover would include configuration adjustments or installing a missing patch. He made sure to mention, however, that website and network administrators would retain control over exactly what actions they would allow Beyond Security to take to avoid accidentally changing how services operate.
“We’re moving in the direction of not only finding issues and giving customers instructions on how to fix them but also helping them take the next step,” he said.