X-Force Red Gets Serious About Penetration Testing

This week, IBM announced the creation of X-Force Red, a new elite security testing team. I’ve been working on putting this group together since October of last year, so the announcement gave me a mixture of pride, relief and excitement.

I’ve been involved with security testing long enough that creating one more pen testing team wouldn’t be very challenging or rewarding. This is different, mostly because of IBM’s unparalleled stature in technical innovation.

In 2015, IBM received 7,355 patents in the U.S., making us the leader for the 23rd consecutive year. With Watson, IBM is pioneering aspects of artificial intelligence and data analytics that not long ago seemed like science fiction. Just last week, I was blown away when the IBM website featured an invitation to “sign up to run virtual experiments on a quantum processor.”

I wish that I could say we’re using quantum computing at X-Force Red. We’re not quite ready for that, but we still embody IBM’s innovative spirit.

X-Force Red Does the Heavy Lifting

Anyone in security can tell you how overwhelming massive amounts of vulnerability data can be. Even in small organizations, findings from penetration tests, code reviews and vulnerability scans pile up quickly.

Vulnerability analytics are a key feature of X-Force Red’s offerings. They help to prioritize and track work, identify security trends in your organization, map risks based on shared dependencies and much more. The data can come from any source: tests performed by IBM, vulnerabilities discovered by your own internal work or even issues documented by third-party tests.

There are four main disciplines within X-Force Red:

  • Application: Manual penetration tests, code review and vulnerability assessments of web, mobile, terminal, mainframe and middleware platforms;
  • Network: Manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies;
  • Hardware: Security tests that span the digital and physical realms with Internet of Things (IoT), wearable devices, point-of-sale (POS) systems, ATMs, automotive systems, self-checkout kiosks, etc.; and
  • Human: Simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior.

A Team of Experts

The vast technical experience at IBM is another advantage of X-Force Red. Any decent security testing team will have experts on the common application and network technologies. But when it comes to bleeding-edge, niche or legacy technology, consultants can be left scrambling. X-Force Red is backed by the collective experience of literally hundreds of thousands of the world’s best technologists that work at IBM.

Simplicity is another key aspect of the X-Force Red strategy. Filling out scoping surveys and counting your webpages, classes or database servers slows down the testing process and doesn’t improve your security. The details on how we scope and size projects can be found here.

Share this Article:
Charles Henderson

Global Head of IBM X-Force Red

Charles Henderson is the Global Head of IBM's X-Force Red. Throughout his career, Charles and the teams he has managed have specialized in network, application, physical, and device penetration testing as well as vulnerability research. X-Force Red’s clients range from the largest on the Fortune lists to small and midsized companies interested in improving their security posture. Charles is also an enthusiastic member of the information security community and an advocate of vulnerability research. He has been a featured speaker at various conferences (including Black Hat, DEFCON, RSA, SOURCE, OWASP AppSec USA and Europe, and SXSW) around the world on various subjects relating to security testing and incident response. He has also appeared on or in CBS Evening News, CNN, BBC, The Wall Street Journal, Forbes, USA Today, The Register, SC Magazine, Engadget, eWeek, Reuters, Car & Driver, and various other media outlets.