I was reviewing the RSAC 2020 Innovation Sandbox finalists and wondering what level of security they had implemented for protecting their own sites – that is whether they “walk the talk”?
| Logo | Company | Homepage | Crunchbase | |||
|---|---|---|---|---|---|---|
 | AppOmni | appomni.com | CB-AO | LI-AO | @AppOmni | |
 | BluBracket | www.blubracket.com | CB-BB | LI-BB | @bluebracket | |
 | ElevateSecurity | elevatesecurity.com | CB-ES | FB-ES | LI-ES | @hello_Elevate |
 | ForAllSecure | forallsecure.com | CB-FAS | FB-FAS | LI-FAS | @forallsecure |
 | Inky | www.inky.com | CB-I | FB-I | LI-I | @inkyphishfence |
 | ObsidianSecurity | www.obsidiansecurity.com | CB-OS | FB-OS | LI-OS | @obsidiansec |
 | Security.AI | www.securiti.ai | CB-SAI | FB-SAI | LI-SAI | @SecuritiAI |
 | Sqreen | www.sqreen.com | CB-SQ | FB-SQ | LI-SQ | @SqreenIO |
 | TalaSecurity | www.talasecurity.io | CB-TS | LI-TS | @talasec | |
 | Vulcan | vulcan.io | CB-VC | FB-VC | LI-VC | @VulcanCyber |
Checks were performed using following publicly available services against respective companies home pages.
| Test | From | Link |
| Risk Score | @UpGuard | https://bit.ly/UG_Scan |
| Web SSL Server | @qualys | https://bit.ly/QS_Scan |
| Security Headers | @securityheaders | https://bit.ly/SH_Scan |
| EMail DMARC/SPF | @fraudmarc | https://bit.ly/FM_Scan |
| DNSSEC | @verisign | https://bit.ly/VS_Scan |
| Security.txt | @scott_helme | https://bit.ly/ST_RD |
| WAF | @sucurisecurity | https://bit.ly/WAF_Scan |
The tests is not indicative of the security of respect services or product offerings – but simply a comparison on level of attention to company web sites.
Results
Overall – Securiti.AI was Ranked #1, followed by Elevate Security #2, Inky #3, AppOmni #4, Sqreen #5, Obsidian #6, Blubracket #7, Talasecurity #8, Vulcan Cyber #9 and forallsecure #10.
Note rank order differs slightly from UpGuard score due to additional checks, essentially sorting Left to Right (best to worst) based on results.
Web Server (QS_Scan) – Most sites had implemented TLS (9/10), however some still allowing TLS 1.1.
Browser Security (SH_Scan) Few had implemented security all headers options (STS CSP XFO XCTO RP FP).
Only 1 (Securiti.AI) had fully implemented.
Email security (FM_Scan) was less than ideal (considering Phishing is major threat vector) with only 2 having implemented DMARC with SPF (reject or quarantine).
DNS Security (DNSSEC) – Only 2/10 had implemented DNS Security.
References
DNS Security –Top 5 Threats, CloudFlare, Akamai, Imperva
Security Headers – OWASP / Hardening Guide
WAF –