Organisations have a variety of needs to understand their true security posture. Orro offers a portfolio of services which are aimed at providing either a point-in-time or ongoing determination on the security of an organisation’s information, processes and people. Reports from our work are available in a variety of formats suitable to audiences from the executive to the engineer.

In addition to reporting, Orro works with application, platform and support teams to effectively communicate any issues identified and support risk assessment and remediation activities.

We also provide portal based services to track the treatment of vulnerabilities and issues over time to give organisations a big picture view of how their security has evolved over time.

Orro offer a number of security assurance testing services which provide efficient and repeatable services, aligned to an organisation’s risk appetite.

The packages recognise the need for flexibility and are structured to provide the optimum value based on time, effort, complexity, reporting and tools for conducting regular compliance testing.

The Bronze testing package offers basic assurance around lower risk applications against a standard compliance checklist. Example application types included in this category are 3rd party static content and internal non-authenticated sites.

The Silver testing package offers cost effective testing for 2nd tier applications that require standard web application assurance testing. This will typically require an external tool based vulnerability scan, with findings being manually verified where possible, as well as a traditional web application penetration test focusing on OWASP Top 10 / CWE Top 25 compliance.

The Gold testing package caters for high-risk applications requiring more
comprehensive assessment due to the sensitive or critical nature of the information, platform or application. This focuses on applications that are typically required to be tested annually, such as those within PCI or other regulatory scope, and/or pose a high risk to business continuity.

The premium penetration testing package includes:

• Internal and external vulnerability scans, with manual investigation and verification of reported findings.
• Automated penetration testing utilising industry leading tools, as well as manual assessment against current vulnerabilities and potential vulnerabilities presented by specific application conditions.

This package also caters for the following optional activities:

• Host assessment of the critical infrastructure required to offer the service, investigating critical configuration and management processes.
• A limited number of applications undergoing source code review.

Orro offers custom penetration testing services to deliver the best value for a project’s specific security requirements in alignment to a customer’s risk appetite and security policy.

The services are structured to provide the optimum value based on project scope, time, effort, complexity, reporting and tools for conducting project based testing.

Testing services can be customised on a project-by-project basis to target the unique requirements of each engagement.

Orro provides security expertise in a variety of business contexts ranging from high level security strategy, risk assessment and architectural reviews down to project-based code review and penetration testing.

The Orro service is aligned to industry standards to support ongoing compliance utilising our real-world experience in web, mobile, middleware and backend enterprise platforms.

Orro’s application security assessment methodology is founded on industry guidelines such as OWASP and the CWE Top 25. Applications are reviewed from a variety of perspectives; both authenticated and unauthenticated to ensure that the impacts of security threats, whether internal or external, are properly understood.

Our application security assessment service integrates seamlessly into our client’s SDLC. We work with developers and platform teams to communicate and educate on issues which we identify. Our service is scalable, leveraging a combination of automated and manual assessment of applications as well as the environments in which they operate.

Orro maintains strong security focused application development expertise which supports our internal and external services. We offer a comprehensive application code security review service which is both flexible (covering numerous platforms and frameworks), and informative. This supports application development teams in the understanding and remediation of security issues within the SDLC.

The application code security review is delivered via an automated or interactive service, based on time and cost constraints within application development programs.

A host configuration review is specific to a device configuration and generally independent of the application and network assessments. The host configuration review covers components such as:

The Orro Customer Portal provides a reporting capability with an industry-strength data analytics and insights engine. A standard report includes a high level summary of findings, detailed descriptions of findings, associated risk ratings and recommendations. These reports are written by Orro staff and are tailored to be relevant to a customer’s specific environment. Underlying tool-specific reports containing the generic security data are also available upon request.

Identifying application security defects alone is only one of the steps involved in improving application resilience and security, for this reason Orro provide optional follow up education and training sessions as well as code walkthroughs to help establish a culture of security inside development teams.

Asia/Pacific Context: ‘Magic Quadrant for Managed Security Services, Worldwide’ Published: 27 April 2018 ID: G00345198
Analyst(s): Sid Deshpande, Craig Lawson, Rajpreet Kaur

Founded in 1999, [Orro] is a pure-play security company that provides managed security, consulting and assurance services. Its client base is predominantly in Australia today, and it specializes in general-purpose MSS, along with offering consulting services that support customers’ security operations requirements. [Orro] offers management capability for a wide range of network security and threat management functions. It also supports more granular service deliverables than many larger providers by being able to provide out-tasking and overflow support on top of the more standardized MSS SLA-based management and monitoring of security products. [Orro] is able to compete with larger competitors because of its flexible service delivery options and its ability to customize service delivery for a wide range of customer requirements. [Orro] operates out of four locations (Australia [Brisbane, Melbourne and Sydney] and London, the U.K.), with two SOCs in Sydney and Melbourne.