Wellington cybersecurity consulting company Security Simplified aims to bring significant savings for SMEs who need security penetration tests on their internet-facing assets – and the company’s first product Blacklock has been nominated for awards after just four months in business. Michael Botur spoke to the founder Nilesh Kapoor.
Penetration testing is a technique to identify security vulnerabilities in your information assets such as a web application or network. The penetration tester makes authorised attempts to break in to show the client what information assets needs to be better-protected before a real attacker exploits them and gains unauthorised access to one’s systems.
Created by Security Simplified co-founder Nilesh Kapoor, Blacklock automates penetration testing with a slick web-based service which gets testing underway with minimal meetings and no complicated onboarding. After Blacklock’s initial testing is complete, it provides reports to the customer suggesting what needs to be remediated.
Because Blacklock automates nearly all of its processes, the service cuts penetration test costs by almost 30%. The industry norm, otherwise, is for such testing to cost up to $10,000 per week and take weeks to complete – not to mention set-up time to contract, scope-out and authorise the penetration testing. Kapoor’s team believe this process is longer than it has to be.
There is demand for penetration testing because new cyberattacks are discovered and exploited every day. A recent British IT Governance blog reported 91 million data records were breached in September 2021 alone, bringing the year’s total number of records worldwide breached due to malicious penetration to over 4.1 billion.
Here in New Zealand, the government’s Computer Emergency Response Team (CERT NZ) reported in the second quarter of June 2021 that $3.9m in direct financial losses were experienced by NZ business due to cyber attacks in Q2 alone, with 1350 incidents, unauthorised access making up 171 of these incidents – a 37% increase from Q1.
Solving cybersecurity challenges occupied five years of Kapoor’s life in Bengaluru, India, before he arrived in NZ in 2013. During this time he co-authored the Security Testing Handbook for Banking Applications (2009, IT Governance Publishing). Kapoor worked as a senior security consultant for top-level government and private sector businesses.
When 2021 arrived and Security Simplified was ready to roll out its Blacklock product in July, Kapoor and co-founder Anuj Agarwal added to their arsenal Emmanuel Law, a security researcher who has worked at some of Silicon Valley’s ‘Big Four’ tech companies, as well as Graeme Neilson, who was Chief Research Officer at RedShield.
It’s been a carefully-thought-out journey. Kapoor backed himself, using his own personal income from work as a security consultant to pay to develop Blacklock – a loan-free startup approach known as bootstrapping.
Kapoor could see the light at the end of the tunnel, though. Evidence showed the costs and processes associated with penetration testing were always open to competitive development. “I never understood why penetration testing had to be so complex, lengthy and expensive,” Kapoor says.
“The ideation of Blacklock evolved from a simple question – ‘How do we simplify penetration test engagements and provide value to customers?’
“Our answer is the customer provides us the target details, what needs to be attacked, then they go into sign-off process, integrated with DocuSign. Our attack is augmented with human testing. Users finish with reports listing the steps to patch/repair a weakness in an application. All in all you save 30% in terms of time and money.”
Blacklock gives an easy-to-use dashboard to view testing as it runs, feature-based testing and four tiers of pricing depending on the nature of the webapp being tested. Blacklock has also carefully worked out how to guarantee zero false positive in the reports (a false positive is an error that indicates a vulnerability is present when it is not.)
Automating all of the above saves time and money for the customers, and at the same time reduces overhead and increases the company’s efficiency.
“Previous processes would take a couple of weeks,” Kapoor says. “With our process it takes around 24 hours – five days depending on the complexity of the application.”
Kapoor believes Blacklock is the first product in the Asia-Pacific to completely streamline penetration testing from beginning to end, including allowing customers to manage their own vulnerabilities.
While sales are gradually building up momentum, three award nominations since July 2021 have validated that Blacklock should be warmly welcomed into the market, and Blacklock secured an NZ government entity client in September 2021. Other clients have been an educational software-as-a-service company in the education and HR space.
Story by Michael Botur.