Offensity

Search for vulnerabilities

It all started when Aron joined the security team at A1 in 2016. We had (and still have) an extensive and dynamically grown IT infrastructure that we tried to maintain and keep up to date as best as possible. But all documentation of servers, software, and versions has its natural limits. Therefore, it was not always possible to determine whether we were using a particular software version or library with a critical vulnerability at the push of a button.

When researchers published a vulnerability in the Apache Struts web framework with the highest possible risk rating (CVSS 10) at the beginning of 2017, we could not determine which of our servers needed patches. Immediately, our team scoured our databases to see which platforms we were using this software. We were able to find a small number of affected systems and quickly updated them.

However, a small part of the team tried to avoid relying on internal databases and documentation and use other ways to find potential vulnerabilities. Instead, we approached the problem as hackers would do... trying to find and exploit undocumented entry points and functions. Using public archives, directories, Google dorks, and port scans, we were able to find additional vulnerable applications that were affected by the same vulnerability.

With each newly published vulnerability, it was tedious to find systems with vulnerable technologies. Is there an easier way to do so?

The idea for "Offensity" was born: If it were possible to create a database of deployed technologies via their visible fingerprints, it would be possible to find out at the push of a button where an Apache Struts application or a particular SSH software is in use.

Intrapreneurship

However, before we got started, there was an internal announcement in our company.The "Intrapreneurship" program asked for innovative ideas from employees to be realized as an "internal startup". With this approach, we could combine the advantages of an agile startup with the opportunities of a corporation.

We came together as a team: Daniel Endresz from our internal CERT (Computer Emergency Response Team), Philipp Mirtl (my colleague focusing on the organizational aspects of security), and Aron Molnar, the author of this text. We decided to submit the idea of a technology database and subsequent vulnerability and risk scans to the RFP. We were allowed to present it to the nine CEOs from our sister companies (international telecom companies).

Intrapreneurship

And indeed: The board selected three ideas (from around 70). And ours was among them.

Our first major milestone was to find out whether companies would even be interested in such a solution. We were invited to talks by potential customers and reached our goal of four future customers right away.

The contracts were initially limited to one month. While we were exclusively engaged in creating and improvising a technology and vulnerability database for our customers for one month, we copied the results into an HTML template. We generated a PDF and emailed it to our customers every week.

Pitch bei karriere.at

The feedback has been very positive, and already with the first reports, we were able to pinpoint critical weak points. We now knew that our idea worked and would increase security for customers. Since then, our vision has been to reduce the effort for secure infrastructure for our customers.

A mature product

Today, several years after we won our test customers, we can proudly look at an advanced and mature product. Currently, we perform over 20,000 scanning hours per month for our customers and continuously scan more than 10,000 target systems.

We provide our customers with a clear list of vulnerabilities and give an overview of the services that attackers can access. On an ongoing basis, we monitor emerging critical vulnerabilities and help our customers respond to them faster than would be possible with traditional vulnerability scanners. We also alert our customers to employee passwords published on the Deep Web after new data leaks to help prevent infrastructure attacks. Always with the vision to achieve more security with less effort for our customers.