Recently a question came up about the benefits of TeamMentor. Specifically, what is the typical scenario of people using TeamMentor.
The idea is that people might know about security controls but not how to implement them, then they go to TM and find out how to implement the controls. For example, Company finds out they have a bunch of SQLi and XSS in their web sites, but they don’t know what controls actually prevent those vulns. So, they do what happens very often, which is they go and add some specific filters or something to that specific vulnerable piece of code and don’t change the architecture at all. Overall, their security posture doesn’t really improve and the developers don’t learn from their mistakes. The same types of vulnerabilities continue to haunt them. Enter TM.
Someone finds out they have XSS. They go to TM and quickly find XSS in the views in the OWASP folder, in the CWE library, and now in the Top Vulns library as well. There, they can read about industry standard ways to handle XSS. The amount of articles per subject is around a dozen and they’re pretty simple articles. Pretty much in one hour, they have the information to handle XSS vulns. TeamMentor can help fix discovered vulnerabilities.
But what if someone doesn’t want to have XSS vulns in the first place. Then, they can go and read about security controls for it and implement the ones that are relevant to their application(s). The result is that the amount of vulnerabilities is reduced overall and the application is hardened against exploitation. As an added bonus, guidance for standard compliance is included. The standard compliance part is still a work in progress, but most standards are based on the same principles and these are the principles described in TM. The language is technical but simple and is chosen to bridge the gap between developers and their employers/clients/managers. The libraries include OWASP Top 10 and CWE Top 25 vulnerability indexes, so even if someone doesn’t know what kinds of vulnerabilities are being exploited out there, they can still choose a logical set of controls for their application.
The bottom line is that a short session with TeamMentor can help prevent expensive and dangerous vulnerabilities before they happen.