How does the service work?

The service is essentially a replacement for a commercial vulnerability scanner. Rather than buying for many thousands of dollars a commercial scanner, worrying about network connectivity, keeping the tool up to date, ensuring it is operating properly and so on, we offer our audits as a competitive replacement. By providing a web interface front-end to a scanning system along with authentication mechanisms, we offer users a way of using a vulnerability scanner in a cost effective manner. No software to download, nothing to install. Everything gets done via a browser over SSL to our site, from where you can request to run audits, schedule audits for later times, look at reports, annotate reports, etc.

Can I try before I buy?

Yes. You can register for a regular user account on our system and try the interface to run any of our free audits. Consultants get an almost identical interface, with the only exception being that a different authentication mechanism applies for being able to audit systems that you cannot surf from.

Who runs the audits?

You do. We provide the facilities, but you are the one that logs into your account on our servers, schedules or runs audits, looks at reports, etc.

Does my customer know I am using you?

Possibly. Since it is our scanning farm running the audits, a customer that does a reverse DNS lookup on the IP addresses doing the scanning will see them resolve back to *.securityspace.com.

Our reports, on the other hand, have an unbranded, printer friendly version that does not indicate the SecuritySpace name or logo on it anywhere. As well, the audit waiver that you must have customers sign off on is unbranded. You are free to wrap the waiver in your own letterhead so long as you do not change the text elements of the waiver. Reports may be re-branded and edited in whatever fashion you choose.

What does it cost to use?

There is a one-time, $250 USD setup fee to become a member of the consultancy program. This is billed after you have been accepted and after you have returned a signed consultancy agreement. Thereafter, the costs for the services are listed on the site under each service section.

What discounts are available to me?

Consultants do not receive discounts off the list prices. What they do get is the ability to leverage services they buy against an unlimited number of customers. If you buy, for example, a one month unlimited auditing package, you may audit as many customers as you want within the duration of your subscription.

What is the per-customer charge?

There is no per-customer charge. You may leverage your subscription against an unlimited # of customers.

Do I need to keep a continuous subscription?

No. You can, as an example, choose to buy a one month auditing package every other month, or even less frequent. The only restriction is that if you don't order any services for a full year, we may not renew your contract at the end of the year.

How often can I run an audit for a customer?

As often as you like. We do not track your usage of the service on a per customer basis. If you have an active subscription, you may use it.

How much do I charge my customers?

That depends on the services you are providing. We set no restrictions on how much you bill your customer, and in fact would prefer not to know. As an obvious general rule, you will need to price your service according to the value you provide.

What is an audit waiver?

An audit waiver is a one page agreement that your customer will need to sign off on before we allow you to audit your customer's network. It essentially ensures that the customer is acknowledging the inherent risks associated with an audit, is accepting those, and permitting you to go ahead with the audits.

Why do I need to have each customer sign a waiver?

It is a liability protection mechanism for both you and ourselves. It ensures that the appropriate due diligence has been conducted to allow the audit to proceed.

Can I set up my own site with your service?

No. We don't sell or lease the software making up our services in that fashion. If you wish to set up your own scanning services, you will need to investigate other solutions available to do that.

After running your audit, are my customers secure?

Even if an audit comes up clean, it is no guarantee that the system audited is secure. A "canned" vulnerability scan, which is what we provide, is a good start for determining the security posture of a system, and we know of a number of organizations that use our services as a sanity check against a full penetration test. But you should be aware that it is only a start. There are many other security issues to be dealt with, and where a consultant can provide added value. These include things like determining if adequate policies and procedures are in place, if proprietary applications are secure, and so on.

How long does it take to audit a full Class C network?

This depends on several factors. For advanced audits, a rough rule of thumb is that the default subscription will be audit anywhere from 4 to 15 IP addresses a day, depending on if the sytems being audited are firewalled, the amount of latency on the network, packet loss, and so on. The average is 10 audits per day, meaning that it would take about 25 days to audit a full Class C.

If faster audit times are required, you may purchase additional channels, which allow you to audit more IPs concurrently. You may purchase as many additional channels as you need to complete the audit in the time frame required. Each channel gives you the ability to run one audit at a time. Standard subscriptions come with a one channel allocation, while the Advanced subscriptions come with a two channel allocation.

Will this take down my customer's network?

Possibly, yes. Probably no. An audit is considered intrusive, and as such there is always the risk for a service interruption, either on network devices or in applications. We do take a number of steps to mitigate the risk. The main one is that tests in the Denial of Service category, which have the highest likelihood of impacting a network, are by default disabled. Whether or not you enable them depends on your customer's tolerance for an outage. We generally recommend that if a customer can tolerate an outage, that the full test suite be run. Note that if our tests bring down a network, then it is imperative that whatever is causing the problem be resolved, since we don't do anything that any other more malicious individual could also do.

Which platforms do you audit?

Our service has tests for virtually every platform out there, and is not limited to one particular operating system or application suite. You will find tests for Windows, Linux, Unix, Macintosh, Web servers, Database products, and more. If it can be remotely tested, we try to have the test for it available.