X-Force Red Gets Serious About Penetration Testing
This week, IBM announced the creation of X-Force Red, a new elite security testing team. I’ve been working on putting this group together since October of last year, so the announcement gave me a mixture of pride, relief and excitement.
I’ve been involved with security testing long enough that creating one more pen testing team wouldn’t be very challenging or rewarding. This is different, mostly because of IBM’s unparalleled stature in technical innovation.
In 2015, IBM received 7,355 patents in the U.S., making us the leader for the 23rd consecutive year. With Watson, IBM is pioneering aspects of artificial intelligence and data analytics that not long ago seemed like science fiction. Just last week, I was blown away when the IBM website featured an invitation to “sign up to run virtual experiments on a quantum processor.”
I wish that I could say we’re using quantum computing at X-Force Red. We’re not quite ready for that, but we still embody IBM’s innovative spirit.
X-Force Red Does the Heavy Lifting
Anyone in security can tell you how overwhelming massive amounts of vulnerability data can be. Even in small organizations, findings from penetration tests, code reviews and vulnerability scans pile up quickly.
Vulnerability analytics are a key feature of X-Force Red’s offerings. They help to prioritize and track work, identify security trends in your organization, map risks based on shared dependencies and much more. The data can come from any source: tests performed by IBM, vulnerabilities discovered by your own internal work or even issues documented by third-party tests.
There are four main disciplines within X-Force Red:
- Application: Manual penetration tests, code review and vulnerability assessments of web, mobile, terminal, mainframe and middleware platforms;
- Network: Manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies;
- Hardware: Security tests that span the digital and physical realms with Internet of Things (IoT), wearable devices, point-of-sale (POS) systems, ATMs, automotive systems, self-checkout kiosks, etc.; and
- Human: Simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior.
A Team of Experts
The vast technical experience at IBM is another advantage of X-Force Red. Any decent security testing team will have experts on the common application and network technologies. But when it comes to bleeding-edge, niche or legacy technology, consultants can be left scrambling. X-Force Red is backed by the collective experience of literally hundreds of thousands of the world’s best technologists that work at IBM.
Simplicity is another key aspect of the X-Force Red strategy. Filling out scoping surveys and counting your webpages, classes or database servers slows down the testing process and doesn’t improve your security. The details on how we scope and size projects can be found here.