EASM for consumer packaged goods (CPG) organizations

Secure digital products with EASM

Identify what you’re exposing

Many consumer packaged goods organizations are embracing new development methodologies and technologies to accelerate their product development lifecycles. Daily product releases have likely become the norm for security teams in these organizations, as applications are composed of smaller services orchestrated by APIs that one or more cloud service providers host. This has resulted in these teams needing more visibility and control of what their organization is exposing externally.

As CPG organizations acquire new channels to reach their consumers, they'll likely expose more digital assets to the web, such as products on multiple e-commerce platforms or promotional campaigns.

Many Marketplace Operation Applications platforms rely on various prebuilt integrations or API connects to e-commerce sites to get products in front of consumers. This results in a tremendous amount of data moving between multiple interfaces. Not only are CPG organizations relying on more communication via API, but they're also hosting online experiences or "shops" to interact directly with their consumers.

These digital experiences and products are likely being managed by a single security team that triages vulnerabilities and risks to multiple teams at different products. Security teams will need to be able to identify each of their domains and what is being hosted on them.

Easily see what you're exposing online with Detectify:

• Get daily monitoring of your attack surface, including port discovery/scanning, technology fingerprinting, and other DNS enrichments (e.g., DNS record types, IPs, etc.)
• A "surface state" that gives you insight into each of your assets, such as to what extent they're exposed.
• Set customizable security policies on your attack surface to alert you to policy breaches, such as open ports and technologies.
• Get a list of potential domains you own and verify them within the tool with our apex discovery tooling.

Avoid vulnerability information overload

AppSec and ProdSec teams have to manage multiple channels for vulnerability information. From annual to quarterly pentesting, to bug bounty programs, to the latests threat floating around Twitter, these security teams are likely having to consistently reevaluate what vulnerabilities and risks they should resolve sooner rather than later. This information overload is increasing the demand on these teams, despite often needing more resources.

CPG organizations are likely to have multiple digital products under their umbrella company. This makes navigating noisy vulnerability findings doubly challenging. Security teams might have 10, 15, or even more digital products to cover, requiring research on each vulnerability finding, particularly those identified as high or critical.

See through the noise with Detectify:

• Get low-noise vulnerability findings powered by payload-based vulnerability testing, all crowdsourced from leading ethical hackers.
• Fuzzing and crawling of custom-built applications to find vulnerabilities beyond CVE/CVSS lists, with additional insights like where vulnerabilities were found.
• Customizable filters of vulnerabilities to ensure your team only responds to threats that matter most to your organization.
• Coming soon: "Groups" will make it possible for security teams to group teams or assets so that the team responsible for resolving vulnerabilities quickly gets the information they need.

Manage digital transformation with EASM

Secure what you’re hosting in the cloud

Dev teams are adopting cloud technologies at a rapid pace, resulting in AppSec and ProdSec teams having to work aggressively to figure out how new cloud systems are stitched together.

CPG organizations are likely moving towards building more digital services, such as web applications, and finding additional channels to reach their consumers. As these organizations bring these services online, they're inherently hosting more assets via a cloud provider, such as a subdomain for a marketing campaign like Black Friday. This makes it doubly important to secure what is being hosted in the cloud, as CPG organizations are handling lots of consumer data across multiple third-party services, for example, a CMS, ad platform, and e-commerce platforms.

Identify issues within cloud services:

• "Attack Surface" view allows you to easily track your domains, such as landing pages for direct-to-consumer campaigns.
• Benefit from over 600 unique methods to discover subdomain takeovers.
• Set customizable security policies on your attack surface to alert you to policy breaches, such as open ports.
• Ensure your team only uses approved technologies and software across your attack surface - no more unapproved software!

Stay on top of new vulnerability types as they emerge

AppSec and ProdSec teams will inevitably meet new types of vulnerabilities as part of their organization's digital transformation process, particularly vulnerabilities resulting from human error. If these teams have less experience with serverless technologies and hosting in the cloud, Cloud Security Posture Management (CSPM) tooling and programs may not have the capacity to handle thes challenges that result from these new types of vulnerabilities.

Even with a robust vulnerability management program, there are risks that current vulnerability management capabilities will be limited - modern web applications are made up of many smaller parts that a traditional application scanner might not be as useful for.

CPG organizations earlier in their digital transformation are likely looking for a vulnerability management solution to help find issues across the entire attack surface.

For CPG companies that are further along in their transformation, they're likely looking for a way to triage vulnerabilities to a wide variety of stakeholders, from network to product development teams. Visibility into the organization's overall security posture is also crucial, particularly because many CPG organizations are made up of various brands.

Stay on top of new vulnerability types with Detectify:

• Find vulnerabilities across various technologies, such as Oracle, Microsoft, SAP, and more.
• Get low-noise vulnerability findings powered by payload-based vulnerability testing that we crowdsource from leading ethical hackers - resulting in a 99.7% accuracy rate.
• Conduct thousands of payload-based vulnerability tests for various vulnerability types, like XSS and misconfigurations.
• Deep crawling and fuzzing of custom built applications, including authenticated scanning.
• Set customizable security policies on your attack surface to alert you to policy breaches, such as open ports and technologies.
• Ensure that your organization only uses approved e-commerce platforms, such as Shopify.

Before and during an M&A

The likelihood of new vulnerabilities and risks occurring during M&A processes increases as an organization is untangling and rewiring its acquired systems and technologies. Security teams often need clarification about what they're acquiring and the overall security posture of the acquiring company.

The numbers don't lie. In 2019, the IBM Institute for Business Value surveyed 720 executives responsible for the M&A functions at acquiring organizations. More than 1 in 3 experienced data breaches that were attributed to M&A activity during integration. Almost 1 in 5 experienced such breaches post-integration.

M&A's aren't uncommon in the CPG industry. Not only are organizations acquiring another company's attack service (e.g., systems), but they're also acquiring the technologies they use to get products to their consumers worldwide.

Read more: How attack surface management helps during an M&A process