We aim to provide clients more self-service control, actionable insights, improved contextual risk, and Enterprise level scalability.
Self-Service Control
We are shifting to enable Administrators and Users to do more within the platform. This spans from features such as setting your SLA or creating Column Presets. We believe that giving users this ability is critical to enabling them to leverage the platform to its fullest extent. We are also aware of the complexity it adds to user onboarding so as we deliver these features we aim to strike a balance between flexibility and complexity.
Things to keep an eye out for in the next 3+ months include:
- Ability to create Column Presets
- Ability to create Target Criticality Rules
- Ability to create Vuln Instance modifiers
- Ability to create Exception Rules
- Ability to create NopSec Assets and manage their association logic
Actionable Insights
We believe we are uniquely situated to provide users with insight based on the amount of data aggregated within the platform. This means we can not only support more functionality in the creation of reports but also what users learn from their data.
We will take a two pronged approach here, tactical insights and strategic insights. It is easy to focus only on strategic insights vs tactical or vice versa. We believe both are linked and will aim to support Analysts and CISOs alike.
We will leverage our Offensive Security experience and our data science expertise to provide clients with data driven Security related metrics.
We will connect our orchestration workflows to our insights enable collaboration between teams and ultimately improve processes.
Keep an out for the following:
- Self-Service Dashboards
- A new Insights page housing analytic output
Contextual Risk
Contextual risk is the specific risk for a given client based on their unique set of assets, network environment, policies, teams, and business.
The first set of contextual risk that NopSec already supports are Target Criticality and Target Mitigating Controls. In both cases, the presence of a vulnerability on a specific target is scored depending on whether or not that target has mitigating controls, or if it is a critical target or not. This is known as a Vulnerability Instance score.
We aim to extend our support by further understanding a client's uniqueness. This includes knowing the Assets location and relationships with one another, the controls in place that allow communication between one asset and another. These and other goals will continue enabling NopSec to provide better contextualized risk prioritization.
The other goal is to not only prioritize vulnerability remediations but mitigating controls, policies, and other improvements.
Enterprise
We'll continue to add more functionality to support large enterprises. This includes SSO Auto Provisioning through Groups, Team level sharing, and supporting client specific business structures needed to correctly manage their program.
We also understand large enterprises have diverse tech stacks and requirements for data aggregation. There may be established internal tools that need to be integrated with. Or established process workflows that need to be accounted for. We want to be able to enable clients to configure the platform to meet those needs as best we can.