The University of Derby

case study

The University of Derby  wanted to prioritise data security and risk mitigation. It was key to know that all their data was as secure as they could make it but, equally, that they were not using all their resource to do that.

Tell us a bit about yourself and your organisation

The University of Derby is ranked 26th in the Guardian University Guide 2020 and, having been rated Gold in the Teaching Excellence Framework 2017 and shortlisted for the Times Higher Education (THE) University of the Year Award 2019, this makes us one of the leading universities in the UK.

Everything we do is driven by delivering excellence and opportunities for our students, our staff and our region. With more than £200 million invested in the last ten years, we offer some of the best university facilities in the UK.

I head up the Business Systems team within the IT Department and have a big focus on security, particularly around our staff and student data, and I am keen to ensure all our data is kept as secure as possible.

What was the business need for AppCheck?

The business need for AppCheck was data security and risk mitigation. For me, it is key to know that all our data is as secure as we can make it but, equally, that we are not using all our resource to do that.

The IT department has recently been awarded Cyber Essentials Plus, and we are looking to keep this status. AppCheck helps us maintain this with minimal resource.

What were your main challenges with security before AppCheck?

Our main concern was that we have such a breadth of software. Due to the way teaching and learning is put together, we have a lot of students in many different subject areas that require different software to support them – not all of that software is as robust as others.

Having AppCheck reduces the risk of running those systems.

Why did you choose AppCheck over other vendors?

It came down to the level of support that you offer, the package. The tool itself includes advice and guidance on issue resolution.

I mentioned the breadth of software that we are using and, being able to get that advice and support with some of the nuances of security issues that the varying software might have, was core to why your service differed to the others that we investigated.

Your UK-based support has always been available when we needed you, which has been very helpful.

What is your favourite thing about AppCheck?

The system itself is quite clean and easy to use, which sounds simple, but has been a major factor in embedding the tool into day-to-day business operations.

Rolling this out across the team and into new departments has not been a challenge, because of how easy the system is to use.

I really like the templates provided by the system for new scans. For instance, WordPress is frequently regarded within the industry as a high-risk content management system when it comes to Application Vulnerabilities. For this reason, the team at AppCheck has created a bespoke scan template, which looks specifically for the common vulnerabilities associated with WordPress. This means the team can run quick checks against these specific vulnerabilities without having to launch a full (longer running) penetration test scan.

The ability to easily manage users and give access to other people in other teams has been useful across different departments.

The internal hub is also good. The scan hub allows us to scan applications that are internally facing, such as pre-production or those that are in the development lifecycle. I love the GoScript feature to set up advanced crawls and navigate beyond log-in credentials.

Sum up your experience with AppCheck in 1-2 sentences

I can do this in one word – ‘positive’.

This is because AppCheck has had such a positive impact across the business in many aspects. It has given the organisation transparency, it produces good reports, it provides peace of mind.

We have a SOC team at Derby and they are happy with our level of penetration testing because we are using AppCheck.

It has allowed us to strike that perfect balance between assigning the appropriate amount of time and resource versus ensuring the correct level of checks. I now have a robust vulnerability testing strategy in place and, as I bring on new systems, it is integrated with AppCheck as a standard procedure which means I then get good visibility and can produce reports to get the right information to the right people straight away.

Want to scan your critical assets?

What are your next steps with the tool?

My team is responsible for a significant percentage of university applications and I plan to continue the roll-out of the tool across our organisation. Our ultimate goal is that everything that is onsite goes through AppCheck.

What has been the impact of using AppCheck?

We are now two years into using AppCheck and have managed to cover most of our systems. If we had started two years ago to pen test all of our systems manually, this would have been very time-consuming. We also wouldn’t have been able to do it at the level we do now or take advantage of the repeated nature of the scans.

Once we have a system secured with AppCheck it will re-check it and alert us on new security issues, which means we no longer have to worry about those systems and it gives us a level of transparency that we didn’t have previously.

The detailed advice around each service, and the fact it integrates with our ticketing systems, has been a massive timesaver. AppCheck integrates with JIRA and will raise JIRA tickets when vulnerabilities occur, meaning we can work on these as soon as they are reported – all of this makes our daily operations a lot easier.

What advice would you give to other companies looking to manage vulnerabilities?

It’s a bit of a Mary Poppins statement but ‘once begun is half done.’ I feel with this kind of pen testing that really is very true. Once you get started, you will very quickly be halfway through and the work then becomes about fixing the vulnerabilities.

You don’t get stuck with implementing the tool as this is so simple, it’s fixing the vulnerabilities that are the bulk of the work. Identifying them then becomes easy and eliminates the guesswork. You then have another piece in your puzzle and you are building your toolkit around the security of your organisation.

Want to see what AppCheck can find in your websites, applications, network, and cloud infrastructure?

Put us to the test.
Try AppCheck for free

No software to download or install.
Contact us or call us 0113 887 8380

Get in touch

Start your free trial

Your details
IP Addresses
URLs