RedInk is a cloud-based vulnerability management ecosystem that allows organizations to create, import, monitor, and remediate vulnerabilities manually or from third-party vulnerability scanners, such as Qualys. Nessus, and NeXpose.
RedInk brings automation and actionable intelligence to penetration tests that once ended with a PDF report containing hundreds, even thousands of vulnerabilities that needed attention by multiple teams and departments.
RedInk allows companies to prioritize and collaborate over the remediation of vulnerability findings from vulnerability scan reports and penetration tests. With a full range of enterprise-grade features, including modules for vulnerability management and risk management, RedInk allows organizations to finally build a workflow around their vulnerability management program for the continuous identification and remediation of vulnerabilities in their environment.
Several methodologies have been published over the years for performing a penetration test. This paper provides guidance on designing your own methodology for performing a penetration test within your organization.
The RedInk vulnerability management cloud platform allows organizations to manage and react to vulnerabilities that our firm finds during penetration tests as well vulnerabilities found by third-party scanners, such as Qualys, Nessus, and NeXpose. Complete with rich, enterprise-grade features, RedInk provides companies a vulnerability management capability to create, import and assign vulnerabilities to individuals, teams, or departments within their organizations; and assign vulnerabilities to assets inside a built-in asset management system that can distinguish between internally-facing and externally-facing vulnerabilities and eliminate duplicate vulnerabilities introduced by assets with more than one IP address.
Role-based Vulnerability Management
Through a unique lens of how vulnerability management should be implemented, RedInk supports multiple user and group roles within the system. Each company is capable of having a Company Administrator who is responsible for administering the company account; departments, teams, and individuals, all of whom can be assigned vulnerabilities for remediation or ownership of assets.
Cross-Functional Team Collaboration
Assets can be assigned to system owners, which can be an individual, team, or department who are responsible for ensuring vulnerabilities are assigned to the proper resource, which can also be an individual, team, or department, for further remediation. The security administrator role within the system — the resource responsible for the remediation — can collaborate within the vulnerability ticket in a remediation thread or through a messaging system built into the platform where the asset owners and security administrators are not within the same physical area. Through RedInk, users have the ability to work collaboratively across different departments, ensuring that IT security, network administration, server administration, deskside support, and compliance are involved in the vulnerability remediation process.
Actionable Penetration Test Reports
Vulnerabilities discovered from manual penetration tests and/or automated vulnerability scanners can be individually turned into actionable tickets. Each ticket can have a specific asset assigned to the ticket along with an asset and ticket owner. A comment thread on each ticket allows for collaboration inside the ticket for cross-team productivity improvements. Additionally, tickets can be assigned to owners, moved between queues, and given priority as well as assigned to teams and departments.
Service-Level Agreement (SLA) Support
RedInk supports the capability for SLAs on individual vulnerabilities. Each vulnerability can have a default SLA assigned to it when created or imported that triggers warning notifications to the asset owner and security administrator when an SLA is about to be breached. The SLA support ensures that vulnerabilities are being closely monitored and tracked to eventual remediation
Risk Management Metrics
RedInk adds support for risk management metrics, including the ability to define asset values and the three important concepts when prioritizing open vulnerabilities within the system — the ability to define a vulnerability’s likelihood of exploitation and ease of exploitation, which will help the asset owner prioritize the remediation effort.
RedInk was built from the ground-up with security in mind knowing the sensitive data that is being stored within it for organizations. The RedInk web application does not interact directly with the backend database. A database abstraction layer intercepts all requests and creates the SQL queries to the backend database, preventing SQL injection attempts at the application layer. The data for RedInk is split up between two separate databases that provides non-attribution between companies and their vulnerabilities in the unlikely case a database becomes compromised. Data-at-rest Encryption is in place that encrypts all data at rest within the backend databases. RedInk also requires 2-factor (2FA) authentication when users log in.
Asset Management System
An asset management system provides users the ability to create or import assets into the system, assign asset owners, define multiple network interfaces and IP addresses for the asset, which enables RedInk to correlate multiple vulnerabilities to a single asset and eliminate duplicates if the same vulnerability is found for different IP addresses mapped to the same asset. An example of a use case is if a vulnerability scan was performed of an asset against its external IP address and a separate scan is performed of its internal IP address. Instead of entering the vulnerability twice into the system, the asset management system will correlate the two vulnerabilities recognizing it as the same asset. Additional features include the ability to define an asset as a restricted system under PCI-DSS as being in-scope for PCI as well as being able to tell RedInk that it is internet-facing. Each asset can have it’s operating system (OS) defined, physical location with support for cloud servers in different AWS regions, an asset value, internal and external IP addresses, VLAN support, and an asset owner.
Vulnerability Evidence Attachments
False positives are possible with any vulnerability scanner. During penetration testing, penetration testers will often produce evidence from the successful exploitation of an asset, such as screenshots or looted files. The evidence tab allows security administrators to post evidence of control effectiveness or penetration testers to post evidence that a vulnerability is not a false positive.
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
Badger Meter enjoys the collaboration features for its globally disparate IT organization for the assignment and remediation of vulnerabilities within RedInk.
Foot Locker retains Brier & Thorn for annual penetration testing, leveraging the vulnerability and asset management features of RedInk to quickly take the penetration testing findings and make them actionable so evidence of vulnerability remediation can be provided to their PCI auditors for their annual QSA audits.