Falanx Cyber Ltd

Edgescan - Continuous Technical Security Vulnerability Assessment

Edgescan is a managed, Continuous Technical Security Vulnerability Assessment service with continuous, security testing and system visibility that delivers a unique service combining full-stack vulnerability management, asset profiling, alerting and risk metrics. As official partners, Securestorm, an NCSC certified company, will assist customers with on-boarding the service and portal configuration.

Features

  • Continuous security technical vulnerability testing
  • "Full-stack coverage" - Web applications/sites & hosting /cloud environments
  • False positive-free results, managed service with vulnerability analysis
  • Variable testing frequency: fortnightly, monthly, quarterly or on demand
  • Incredibliy detailed vulnerability reporting, including code injection & responce
  • Continuous system visibility via secure online portal
  • Super Rich API for painless integration with JIRA and ServiceNow
  • Customisable Alerting, via email, SMS or other channels
  • Highly Customisable reporting, in PDF, CSV and EXCEL formats
  • 24/7 Governance Risk and Compliance Metrics

Benefits

  • Provides continuous visibility on premise and cloud environments
  • Helps free up security staff to focus on other issues
  • Helps comply with auditing and compliance standards
  • Suitable for OFFICIAL (including OFFICIAL-Sensitive) classified services
  • Enables to react quickly to security threats, by identifying issues
  • Value for money over traditional security for start-ups to corporates
  • Helps manage critical assets freeing up resources & time
  • Expert analysts ensure risk reported accurately and rated appropriately
  • High flexibility with systems accessibility as and when required
  • Monitor security rating to help track performance and improvements

Pricing

£3647 per licence per year

  • Free trial available

Service documents

G-Cloud 10

492588613432879

Falanx Cyber Ltd

Tom Evans

07525592168

GCLOUD@falanx.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No constraints.
System requirements Nil

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 days, excluding weekends.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels The managed service provides detailed support by Securestorm for on boarding and service management through out the subscription period, via the technical account manager.
The non-managed service only provides email and telephone support direct with the service provider.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Securestorm provides on-boarding assistance and initial demonstration and training on the use of the Edgescan service portal. User documentation and documentation on integration to other services such as JIRA and ServiceNow is available.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Assessment reports can be downloaded at any time in PDF format.
Vulnerability lists can be downloaded at any time in CSV or EXCEL formats.
End-of-contract process At the end of the subscription period the Edgescan continuous vulnerability assessment service will stop conducting tests. Customers can then elect to renew the subscription.
Under the managed service, the customer will be provided with a final assessment report in a PDF format, and a final outstanding vulnerability list will be provided in a CSV file by Securestorm.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Output and operation is the same.
Accessibility standards WCAG 2.0 A
Accessibility testing Web accessibility checkers were run against the service.
API Yes
What users can and can't do using the API The API can be configured to integrate with JIRA, ServiceNow or other services. Full documentation can be provided.
API documentation Yes
API documentation formats PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Alerts can be configured for various different levels and via different channels, such as SMS, email or via webhooks into Slack etc...
You can download assessment reports, which can be configured for different levels of detail, depending on the target audience, form Management Reports to finely detailed Technical reports.
Configurations are made on initial on-boarding, and can be updated any point in the service period.

Scaling

Scaling
Independence of resources The Edgescan service is built on Amazon Web Services and is full designed to scale upon demand so that other user demand does not effect the service.

Analytics

Analytics
Service usage metrics Yes
Metrics types The service portal provides a dashboard detailing a range of metrics, including the number of vulnerabilities found, the systems under test and the frequency of the assessments.
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Edgescan

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach The data centre physical security has been assessed using the UK Government's Classified Materials Assessment Tool (CMAT), as suitable for UK OFFICIAL (including OFFICAL - SENSITIVE).
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Downloadable assessment reports in PDF format at any time.
Downloadable vulnerability lists in CSV or EXCEL formats at any time.
Data export formats
  • CSV
  • Other
Other data export formats
  • EXCEL
  • PDF
Data import formats Other
Other data import formats No uploads are available

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The Edgescan Service web portal for each web application under assessment shall be available to Customer not less than 95.5% of the time each calendar month.
Customer shall not receive any credits in connection with any failure or deficiency of Service Availability to the extent caused by or associated with: (i) a force majeure event; (ii) regularly scheduled or emergency maintenance and upgrades; (iii) any causes attributable to Customer or its contractors, (iv) software or hardware not provided or controlled by Securestorm; and (v) outages elsewhere on the Internet, including but not limited to interruptions at any Customer or third party data center or ISP, that hinder Customer’s access to the Service.
Approach to resilience The Edgescan service is built on Amazon Web Services cloud infrastructure, and has been built to be resilient by design. Further details can be provided on request.
Outage reporting The Edgescan service runs at the frequency requested by the customer, as such, the testing is intermittent by design. However, the Edgescan reporting portal is always available. Email alerts will be provided for any scheduled or unscheduled down time.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels There are no remote administration interfaces exposed on the Edgescan service external infrastructure. Edgescan have scanning and profiling services that run 24/7 against all infrastructure. Alerts are setup for the exposure of any restricted services. Access to AWS and into the VPC is organised through AWS and their security controls. Access to the Edgescan AWS infrastructure is restricted to specific users coming from specific locations (restricted to edgescan IP's only) via VPN. Authentication is username/password and certificate based authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY CertifyPoint
ISO/IEC 27001 accreditation date 11/11/2016
What the ISO/IEC 27001 doesn’t cover The AWS certification includes the infrastructure that the service is built on.
The Edgescan applications and portal are not included within the certification currently, however Edgescan are currently preparing to go through ISO27001 certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Coalfire Systems, Inc.
PCI DSS accreditation date 25/01/2018
What the PCI DSS doesn’t cover The AWS PCI DSS certification covers the AWS infrastructure that the Edgescan service is built on. The application and service portal are not covered by the certification.
Other security certifications Yes
Any other security certifications
  • Cyber Essentils
  • NCSC Certified Cyber Security Consultancy

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards Securestorm is Cyber Essentials certified.
Edgescan is also Cyber Essentials certified, and is currently working towards ISO27001:2013 certification.
The underlying infrastructure is provided by Amazon Web Services, who are: ISO27001:2013, PCIDSS, CSA CCM, SOC2, BSI C5 and Cyber Essentials certified.
Information security policies and processes Securestorm has implemented: an Information Security Policy, including: Data Protection and Privacy, Classifications, Backup and Recovery, Encryption, Data Erasure and Destruction, Change Management and Testing. All processes that staff are required to follow are detailed in the Securestorm Employee Handbook.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Edgescan maintains and applies documented configuration and change management processes to ensure changes e.g. updates, patches or fixes are timely and in line with business risk / needs. Full version and change control is enforced over all production systems and applications.
Prior to changes being applied to the live production environment:
• Change requests must be documented (e.g. on a change request form) and accepted only from authorised individuals.
• The possible impact of changes must be assessed (e.g. in terms of overall risk and on other components of the installation).
Vulnerability management type Supplier-defined controls
Vulnerability management approach The Edgescan service runs daily vulnerability testing against its servers, tools and the online portal, using a library of over 80,000 known vulnerabilities (CVE's).
The latest vulnerabilities and threats are updated all the time from national and international sources, such as Mitre, NIST, CiSP and CERTUK.
Patches are assessed and deployed whenever available.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The Edgescan service is security tested on a daily basis, as well as going through extensive security testing during development. All code is required to undergo both peer review and static testing. All live systems must undergo regular dynamic testing. Currently Edgescan use CHEF to help ensure all components are current and managed automatically. Security incidents are classified by type; each of which requires a different approach to containment and remediation. The severity level of an incident is used to determine the anticipated response timeliness: Severe and High = Immediate; Moderate = 2-3 Hours; and, Low = 4-12 hours.
Incident management type Supplier-defined controls
Incident management approach Both Securestorm and Edgescan have pre-defined policies and processes for incident management and response.
Users can report any incidents in regards to the Edgescan service and online portal either direct to Edgescan or to Securestorm via email: admin@securestorm.com
Incident reports are provided on a case by case basis depending on the type of incident. Any incidents report by users will have a response give as to the outcome of the incident.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £3647 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial A trial proof of concept can be arranged for a single assessment.

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑