Tuesday 1 May 2012

TeamMentor for Security companies providing Application Security Services

After the launch of the TeamMentor Partner Program, one of the common questions I'm receiving is 'Ok.. that sounds interesting..but how does it work?'

So if you are working for a company currently providing application security services (PenTesting, CodeReview, Threat Modelling, Architecture review, etc...) this post is for you.

From your point of view,  TeamMentor will provide:
  1. Security-Focused Knowledge Base - to hyper-link your current reports
  2. Customized Reporting - ability to deliver your reports via a web interface (with your brand and custom content)
  3. New revenue streams - by selling TeamMentor and additional services to your clients

Lets take these in turn:

Security-Focused Knowledge Base

TeamMentor's Library is made of 4000+ articles with expert security guidance covering a wide range of Tecnologies, Phases, Types and Categories.

The key concept is that you shouldn't have to write detailed explanations about a particular security finding, how to fix it, or how it fits within the multiple SDL phases. TeamMentor should have those articles so you can just hyper-link to them from your reports.

Note that if the content that you want is not currently available in an TeamMentor Library, you can easily add it via the web interface (which provides full editing capabilities)

Customized Reporting

Once you are comfortable with TeamMentor's content and have a solid internal workflow, the next step is to start thinking about creating custom versions with your own branding and customer specific content (for example an TeamMentor How-to article with the code samples modified to reflect the application under test best-practices).

The TeamMentor interface is very flexible and all the content is exposed via a WebServices layer, so you can either use TeamMentor's main GUI, create your own, or just consume its data from an existing customer portal.

Note that you can also use TeamMentor to host your own (private) content which you will only share with some of your customers (for example a series of articles on Oracle security)

New Revenue Stream
Finally, for the cases where your customers want to start using TeamMentor internally, in addition to a commission that you will receive for each sale, there are additional services that you could provide (for example converting/mapping your customer's internal security policies or coding standards into an TeamMentor Library).