Central Networks and Technologies Ltd

AppCheck

AppCheck provides a best in class web application, API and network infrastructure vulnerability scanning platform.

Features

• Technology Agnostic
• Sophisticated scanning engine developed and mainted by leading security experts
• Easy to use and highly configurable
• Proof of concept evidence is provided through safe exploitation
• Unparalled support for modern single page applications and complex APIs
• Supports various forms of authentication via a scriptable broswer interface
• Granular scheduling and continous scanning
• Known vulnerability database updated daily with latest finding remediation advice

Benefits

• Not bound to any platform or signature database
• Automatically discover the complete attack surface in the shortest time
• AppCheck allows complete flexability.
• Thoroughly scan and test your Single Page Apps and APIs
• Scans can be configured to adhere to a specific schedule
• Will also report on "known vulnerabilities"

£250 to £1,125 a unit a day

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@centralnetworks.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

729437558054765

Contact

John Blackburn
01706747474
sales@centralnetworks.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None
• System requirements:
  • For internal scanning only -
  • Capacity for a VM:16GB RAM, 4 CPU cores, 60GB storage.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: The aim is to respond to questions on the first call, through an escalation 1st-3rd line classification. We respond within 30 mins.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our operations team is broken down into two areas, Service Desk and Engineering. The Service Desk acts as the primary source of all activity, where calls are categorised, prioritised and filtered to the relevant specialist if required. Our calls are given a priority level from 1-5; whereas P1 is Disaster, business is non-operational all the way through to P5, of which could be a cosmetic incident, for example. Our response times and levels are summarised below: P1 - Urgent - 15mins Response Time (RT), 4 hrs Target Full Fix Time(TFFT) P2 - Critical - 30 mins RT, 8 hrs TFFT P3 - Very Important - 4 hrs RT, 20 hrs TFFT P4 - Important - 10 hrs RT, 30 hrs TFFT P5 - Informational - 3 days RT, 90 days TFFT (never normally this long) The majority of activity will be remote based working, however we will send either a senior engineer to the client site, or a cloud specialist to a cloud hosting datacentre site, as and when required, depending on the incident. All priority incidents are included in our pricing, defined by customised SLA's and can be in unlimited numbers if required, depending on the client's needs.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Once a customer signs up to the service (standard and support+ offering), the client will initially be provided with an onboarding/training session with the support team. Following this regular quarterely reviews are scheduled with the customer success team.
• Service documentation: Yes
• Documentation formats: Other
• Other documentation formats:
  • In the GUI itself
  • Online FAQ/help library
• End-of-contract data extraction: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• End-of-contract process: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Customer Portal
• Accessibility standards: None or don’t know
• Description of accessibility: .
• Accessibility testing: .
• API: Yes
• What users can and can't do using the API: The API allows customers to create, start, pause, stop scans, pull data and reporting of vulnerabilities. The API also provides the ability to manage vulnerabilities into ticketing systems allowing you to assign a vulnerability to particular user for them to review and remediate. API Spec available on request
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: For certain features customers are able to customise things like specific scan configurations to look for specific vulnerabilities or reduce things like traffic just as a small example. In addition customers can customise what is prepared in the reports using filtering options and can review their overall vulnerability estate within a customisable dashboard overview. Furthermore the ability to customise roll based access controls which provides further flexability.

Scaling

• Independence of resources: For detailed information a full VSA pack can be provided under NDA documenting our processes for this. More information found here - https://appcheck-ng.com/compliance/

Analytics

• Service usage metrics: Yes
• Metrics types: Customers can login to the portal and access usage metrics via the customisable dashboard; There are a number of metrics that can be viewed including how many scan have been conducted, most vulnerable targets, vulnerability trends, recent vulnerabilities, unfixed vulnerabilities, tracking etc just to name a few
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: AppCheck

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Using the API or you can also extract vuln data from the GUI itself in the form of reports such as full scan reports in word/PDF, exec reports, Excel and JSON exports
• Data export formats: Other
• Other data export formats:
  • API
  • GUI
  • Word
  • PDF
  • Excel
  • JSON
• Data import formats: Other
• Other data import formats: N/A

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Data protection within supplier network: Other
• Other protection within supplier network: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.

Availability and resilience

• Guaranteed availability: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Approach to resilience: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Outage reporting: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: 2024
• What the ISO/IEC 27001 doesn’t cover: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Information security policies and processes: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.
• Incident management type: Undisclosed
• Incident management approach: Information found here - https://appcheck-ng.com/compliance/ . For even more detail on this topic a full VSA pack can be provided under NDA documenting our processes for this.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Our Social Value Policy is Available on request more information can be found on our website

Pricing

• Price: £250 to £1,125 a unit a day
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: AppCheck's Proof of Concept allows organisations to run a scan against a number of targets for assessment

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@centralnetworks.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.