Scaling Up Application Security for a Global Telecommunications Company

This client has been providing telecommunications services for over 100 years, and it currently provides a full range of telephone, mobile, internet access and television services. It is one of the 50 largest telecommunications providers in the world by revenue. Despite starting an application security program that provided a solid foundation, the firm needed expert assistance to scale the program to cover more than 700 web applications without slowing its product development pace.

The Challenge

The company had begun an application security programme, focusing on their most sensitive and mission-critical applications. Even though that programme did a good job securing its key assets and put it on par with other companies in the industry, the company also realized that it needed to scale up its programme to protect more of its data as well as its reputation. Even though not all of the company’s approximately 700 web applications handled sensitive data, if a less sensitive application was compromised, its reputation would still suffer damage even if its most crucial operations did not.

Therefore, it needed to work with a partner that not only had deep application security expertise, but also could scale up the company’s application security testing quickly. The goal was to help the client build a programme that could test a broad range of applications while providing findings and analytics that would help it strengthen its security posture across all of its business units.

Kroll's Solution

Kroll had worked with this client on web application assessments before, but not a project this large. After a competitive bid process, the company selected multiple vendors to perform web application assessments. During the selection process, we highlighted not only our experience with web application testing, but also our ability to scale. Having worked with with some of the biggest companies in the banking and media sectors, we had experience scaling up to similarly large enterprise engagements.

As a result of the initial selection process, Kroll was put in charge of testing about 200 applications used by the telecom ’s IT department. The engagement ramped up quickly: within a month of the company’s signing, Kroll was testing about 25 applications per month.

Now, about four years into the engagement, Kroll has taken on an increased number of applications within the business and expanded into other groups, including the networking department. Each year, Kroll makes a plan, including a projected level of effort for the web applications assigned to be tested, and provides ongoing project management to make sure that the testing is performed completely, on time and on budget. Kroll has also expanded into assessing the security of emerging technologies for this client, including Internet of Things and 5G mobile devices.

The Impact

After working with Kroll, this telecommunications company has seen multiple security and operational benefits.

Actionable Data

The client found Kroll’s detailed metrics so valuable that Kroll became its preferred application security vendor, and our reporting became standard across its penetration testing programme. The executive reporting not only discussed the identified vulnerabilities and the risk across the entire business group, but also specific visibility into the risk profiles under each individual vice president responsible for a group of applications. In that way, the reporting gave a clearer view of the company’s security posture and made it easier for individual segments of the business to focus on the security changes that would make the most impact, and how much progress each part of the business was making on its remediation goals.

Testing on Time, on Budget

Kroll has the size, scope, and project management experience to deliver large-scale testing on time and on budget, and we have been able to do so for this client each year of the engagement. That includes 2020. Even with the project paused by the client for several months during the middle of the year as a result of pandemic concerns, Kroll was able to ramp up testing when the client needed, get the project back on track, and complete the assessments by the end of the year.

Increased Web Application Firewall (WAF) Effectiveness

This client had put web application firewalls into place, and wanted to know how effective they were. So, during the course of web application firewall testing, Kroll worked with the client to route application security testing through the WAF and identify what it was able to stop. Kroll then worked with the client to strengthen its WAF configuration based on the findings, to get more value from that investment.

Verified Effectiveness of Scanning Programme

During the web application scanning phase of the assessments, Kroll’s consultants identified that fewer vulnerabilities were being identified than average. This client had only 15% of findings identified during automated scanning, and 85% via manual testing. Compared to other clients, this is a significantly higher percentage of findings identified by manual testing. Kroll was able to verify the effectiveness of a scanning programme that this client had implemented and identify that it put the business ahead of many peers.

Learn more about Kroll Cloud Security and Penetration Testing services.