Zen Internet relies on Invicti Enterprise to keep customers secure
The product is high-value but so is the organization. In my experience, doing business is about people – security is all about people. My interactions with Invicti have been incredibly positive. They treat every organization with the same level of respect and care; whether you’re a huge organization or a medium organization like Zen Internet, you feel like you are still being treated in the same fashion. I know a great company when I see one. I would recommend working with this company to anybody, and the quality of the product stands out.
– Michael Thompson, Information Security Manager, Zen Internet
Located in Greater Manchester, England, Zen Internet is an award-winning internet service provider (ISP) with a mission to empower its customers through connectivity. Founded in 1995, Zen Internet provides home and business customers with reliable, fast broadband internet service. Because so many people rely on that connectivity across the UK, the Zen Internet team must ensure that their web application security is always fortified and that they’re prepared for new cybersecurity threats to keep their data safe and secure.
Seeking a solution to improve security posture
Because Zen Internet is an ISP with a lot of software to manage and maintain, they knew that they needed to fortify their web application security to prevent cyberattacks. Michael Thompson, Information Security Manager at Zen Internet, joined the company about ten years ago and quickly recognized that to face emerging threats, they needed a way to inventory software, manage their assets, and improve their security posture.
I am good friends with Troy Hunt, and he recommended looking at Netsparker (now Invicti). He used it in his training courses. We took a demo, used it, and were amazed by the quality of the product – thoroughness, reporting, clean UI, and easy to navigate, with straightforward configuration.
Michael and his team surveyed other tools like Burp, Nikto, and OWASP Zap, but they weren’t quite sophisticated enough for everything Zen Internet needed to do at that time to fortify their security strategy. Because he was already familiar with Netsparker by Invicti and was connected to Invicti founder Ferruh Mavituna, the transition to Invicti Enterprise was an easy migration for them.
Baking security into continuous development
Engineering productivity is a relatively new team at Zen Internet. They work with engineering teams on software, networks, and infrastructure, always looking for ways to integrate security into a continuous development process so they know about any security defects or insecure configurations before an application is released. But first and foremost, with so many web apps, websites, APIs, and services, one of their ongoing security challenges is clear and consistent asset management.
Asset management issues are a risk to any organization and should be a top priority because you can’t protect assets you are not aware of. If you’re building stuff and nobody knows about it, then all you’re doing is increasing the organization’s attack surface.
With a customer base of 140,000, of which 30,000 are commercial organizations, it’s critical for Zen Internet to maintain a good security posture and clear asset management. They have a massive DNS presence, too, because they’re an ISP and a hosting company. In addition to keeping all of their customers secure, they need to make sure their own enterprise infrastructure is safe as well.
Reliable reporting with critical clarity across teams
Zen Internet is an ASP.NET house, and so the majority of their software is built on the .NET framework, which already has many security features in place. However, they also use JavaScript open-source components and other third-party software, so they need a way to secure all those external assets. With the Invicti platform at their fingertips, now they receive weekly reports that highlight outdated technologies on the website and provide a summary update which they can easily share with team leads for quick fixes.
It is very important to be able to provide the right level of detail to the right audience. For example, executives are interested in seeing the risk level, the trends, whether we are doing better or worse… That’s the kind of quality and depth that you get from the product, the ability to tailor reporting is just fantastic.
They needed a better way to provide the right level of detail for the right audiences when it came to reporting – especially important for keeping an eye on trends. With the Trends report feature in Invicti’s platform, they’re now able to gauge their successes much more easily and spot areas of improvement.
Another cool feature is the Trends report. This is very helpful when I have conversations with executives in the business who are interested in how our web application security is doing. I can just open the dashboard and show them which vulnerability is going up or down, tell them where it’s going up, and say what we are doing about it. The level of insight is absolutely incredibly valuable to us.
False positives plague reporting efforts for many businesses that build and manage software, and Zen Internet was no different. With Proof-Based Scanning from Invicti, though, the Zen Internet team has evidence that a reported vulnerability is real, down to a proof of concept that shows the actual attack vector. And with 99.98% accuracy, each confirmation saves them valuable time and reduces manual work and rework.
Keeping their attack surface in check
Perhaps the biggest benefit that Michael and the team at Zen Internet experienced after adopting Invicti’s platform is the ability to track and manage their entire web technology stack. After all, you can’t secure what you don’t know you have, and if you don’t know about a problem, you can’t manage it. The team relies on features like technology version tracking to alert them to outdated and vulnerable source libraries or frameworks for more informed risk management.
Asset management is a really big priority for Zen Internet, but it should also be a big priority for everybody. The out-of-date technologies report that we get from Invicti is brilliant for us as it feeds straight into our asset management mission.
Additionally, with technology reports from Invicti Enterprise, Michael and his team members can improve their third-party source code management and make better security decisions when building and maintaining their own repositories. All of the information they pull from Invicti scan results also continues to feed these strategies for long-term improvements – and that is on top of the day-to-day vulnerability tracking.
Looking ahead with Invicti
A strong web application security posture means that Zen Internet can continue serving its many customers with confidence. Because Invicti provides detailed guidance for securing third-party and in-house code without the distraction of false positives, Michael and his teammates are able to provide greater transparency into their wins, their roadblocks, and their overall security efforts so they can continuously improve the quality of their applications and services.