Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Vulnerability Scans Vs. Penetration Testing
Quick Take
On this week’s episode of Compliance Unfiltered, Adam uncovers the depths of Security testing, and the difference between Vulnerability Scans vs. Penetration Testing.
Wondering why an organization should do security testing?
Curious about Vulnerability Scans?
Want to know the ins and outs of Penetration Testing?
Are you expected to answer questions for your team on the advantages and disadvantages of security testing?
Compliance Unfiltered has you covered, all on this week’s episode!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
I am doing fantabulous. How about you, Todd?
I can’t complain. I can’t complain at all.
Today we’re going to hit a topic, Adam, that’s pretty straight down the middle, right? This is something that in sports terms you would consider a BP fastball, but just like batting practice, it applies to everyone who plays the game, and that is security testing. Specifically, Adam, vulnerability scanning versus penetration testing. So maybe we should start with the why. Why do you do security testing?
Well, I mean, at the end of the day, it’s good for the company, you know, it certainly improves their security posture, you know, and the one thing, the one thing that I hear out of organizations, especially those that are kind of new to the security compliance arena, you know, a lot of them will have this misnomer, right? We’re not a big company, or we’re not well known or whatnot. And the reality is, is that that nobody, nobody is hiding from the bad guys. It doesn’t matter whether you’re big or you’re small.
I don’t know if I’ve gone through this before. So I use this, this opportunity to kind of go through this one, because it’s, it’s, it’s really pertinent to the why of the security testing is that you remember back in the day, you know, when you’re, when you were a kid, and then your parents got the, you know, parents got the unlisted phone number, right? And then all of a sudden, you know, you get used to the phone rings, and it’s somebody that you know, right? And all of a sudden, the phone rings, and it’s some salesperson, right? And everybody’s like, Oh, my God, how did they get ahold of this number? You know, reality is, they’re just going through, you know, 111, 1111, 1111, 1112, you know, and, and just running the running through the digits, and they just happen to hit a number that happened to be unlisted. Well, it’s the same type of a premise when it comes to machines that are on the internet, right? The bad guys are just going, you know, 1111, 1111, 1112, 1111.3. And so it doesn’t matter if you’re big, if you’re small, if you’ve got a lot to protect, very little to protect it, irrelevant, because the bad guys are finding you just randomly, and I guarantee you for anybody that you know, kind of hasn’t gone in with their firewall traffic, seen what’s really happening in terms of, you know, things that are hit in the environment, you’re probably getting, you know, people sniffing around at your, you know, at your, you know, kind of your externally facing boxes, it’s probably happening five, 10 times a day type of thing. So, you know, the notion is, is long gone, of we’re too small, nobody, you know, nobody’s going to care, because the bad guys are basically going to find you regardless.
So, you know, so it’s good for the company to improve your security posture. In many cases, it’s required for compliance, either volume scanning or pen testing, or both. You know, so, so that’s kind of a requirement for anybody that’s kind of playing the, you know, playing the security compliance game. You know, and, you know, the one thing that I, you know, kind of wave the flag up, because this is a question that will, you know, that will get relatively frequently over the years is, you know, that people not understanding, you know, kind of, they, they think, oh, security testing. So we’re doing bone scanning. So we’re good, right? You know, and no, vulnerability scanning isn’t penetration testing. So, you know, kind of, you know, a common misconception out there is, you know, is the fact that they are, you know, effectively kind of one and the same, if you will.
Well, I mean, I guess that’s the perfect segue, Adam. What is vulnerability scanning?
Vulnerability scanning. The way I like to relate it to people, it’s kind of similar to in this, because it’s something that everybody can relate to is antivirus, right? If you think about like your antivirus on your local machine, everybody’s had it for years and years and years.
Antivirus is basically a pattern recognition system. It’s a piece of software that sits on whatever machine is deployed to. It’s looking at files that are kind of hitting the machine and it’s saying, oh, okay, I see a file and I have a series of patterns for files. And if the file that I’m seeing matches a pattern that I’ve got, then I put the two together and I throw an alert. This pattern recognition type approach is the same thing for vulnerability scanning. It’s basically a piece of software that uses pattern-based recognition with that similar approach of, hey, if I match something that’s not good, then I’m going to go ahead and report it.
Yes, what exactly does it cover?
Well, vulnerability scanning will generally handle or cover, I call it the low-hanging fruit in the security space, stuff that’s easy to find, stuff that’s easily detectable. It’s looking at kind of the target host vulnerabilities that are detectable. So typically when you go and you set up a vulnerability scanner, you’ll set it up with, hey, I wanna go in and scan these particular hosts or these particular kind of destination addresses or this range of addresses type of thing. And then you punch the go button.
And the thing will just basically go churn through. It’s really looking for host layer and net layer vulnerabilities primarily. It can detect things like patching and OSs, settings on the machine that are set incorrectly. Maybe the target device is capable of transmitting information in an insecure manner. Things along those lines are the types of things that you would generally kind of cover in terms of the vulnerability scanning itself.
Okay, well, nothing’s perfect. So I guess we’re, where do you see the disadvantages kind of come in on this? I guess I think I imagined a lot of folks out there are thinking the same
Um, so, you know, the one thing to keep in mind with, with vulnerability scanning and, you know, organizations kind of feel good about, oh, we’re running vulnerability scan. So we must not have vulnerabilities. No, it doesn’t, it doesn’t work like that. Uh, you know, it, it will, it will provide coverage for, uh, you know, for, like I said, a certain portion of vulnerabilities. And it’s a, it’s really a good and efficient tool for, for catching that low hanging fruit, but it can’t cover everything.
So when I say that, you know, things like your wireless systems, um, you know, actual websites themselves, uh, you know, in the code that’s, you know, goes into those websites, especially like an authenticated website. You know, vulnerability scanning is going to be going in, looking at the pages, et cetera. Um, you know, uh, you know, APIs, uh, APIs and web services, um, you know, Mecha web-based mechanisms for transmitting and receiving data from websites. Um, you know, it doesn’t cover things like that. There’s a number of other elements that typically get, you know, we get, you know, kind of throw it, thrown into the, into the security testing arena. They’ll talk more about on the pen testing side, um, you know, but it doesn’t cover all of those things. It’s really easy to deploy, um, you know, your external scanning. So external scanning effectively means I’m doing a vulnerability scan of the, of a target, you know, a series of targets from an external perspective. So if my hosting, whatever, but if my hosting happens to be in Wyoming, and then I’m testing from New York or I’m testing from Asia, you know, wherever, somewhere outside of the target location that I’m, you know, that I’m heading to, that’s external scanning. Um, but internal scanning, in other words, scanning from the inside of the network, that’s going to require some type of an internal host be configured in order to kind of position the scanner so that it can see the very essence. Various assets from the inside, um, you know, and it is important for organizations to do both external and internal scans, um, you know, just because externally, there’s going to be a certain, hopefully a more limited range of capability, connectivity available to the outside. And generally speaking inside, there’s a lot more, you know, accessibility between devices and machines, which is a reason why you definitely want to, uh, want to make sure you’re doing the internal scans as well.
Um, the internal scanning or the internal testing, whether it’s vulnerability scanning or penetration testing, um, that’s important because, you know, if you happen to get hit with like a zero day or, you know, whatever, somebody accidentally leaves a, you know, an open, you know, was doing some testing with the firewall, forgot to close it or something along those lines. Now, all of a sudden, you got bad guys on the inside of the network. And now that’s a problem. Now they’re going to take advantage of whatever vulnerabilities exist on that internal network to try to do damage or achieve their objective, whatever the case may be.
Um, you know, one of the, uh, one of the issues, um, with the internal side is just challenges and being able to, to provide, you know, multiple site coverage, uh, you know, for scans. So if you’ve got, you know, a corporate net, you know, you’ve got your hostings over at hosting company. And then I got a corporate network and then I’ve got sales offices, that type of thing. It becomes a lot more difficult, uh, kind of setting up, uh, internal scans, especially where that networking, uh, doesn’t already exist to get those sites connected.
You know, in the, in the last kind of disadvantage, if you will, or main disadvantage of the vulnerability scans, you know, over other forms of testing is since it’s just pattern recognition, there’s no brains behind it. Um, you know, the chance of the false positives are that much greater, uh, when you’re doing vulnerability scanning over say, penetration testing, um, because the scanner is basically dependent on what it’s seeing in order to, you know, kind of make the call about, you know, do, do I see a perceivable issue based on the pattern or not? That’s kind of the, the limit, if you will, of the, of the, of the smarts that goes into, uh, into the results on a vulnerability scan.
Sure. Okay. Well, you’ve teased it a few times in that last little portion. What is penetration testing?
Well, penetration testing is an engagement where, and this is something for folks to keep in mind, is that vulnerability scan, running a vulnerability scan is like one of likely a dozen plus different tools that would be involved in a penetration testing engagement. The big difference between the two is the fact that penetration testing is being performed by experienced security engineers. In the security and compliance space, there really weren’t a lot of kind of rules, if you will, about how should we do it and whatnot. And over the course of the last several years, there’ve been a lot more kind of certifications kind of have come out about what’s an appropriate methodology for doing penetration testing, et cetera. So a lot more of that details come out, which actually has done a lot to improve the kind of the capabilities of the penetration testing that’s being done. But the key is the kind of the manual sweat equity, if you will, of experienced security engineers being involved, it provides a huge advantage.
And oftentimes, when you’re doing a penetration testing engagement, on a phone scan, you go and you run the scan and oh, I’ve got these five problems. You don’t, yeah, you can kind of phone a friend and maybe, depending on who’s doing the scanning, they may be able to give you a little bit of extra guidance, but primarily it’s whatever’s on the report and good luck, right? When you’re doing a penetration testing engagement, oftentimes you have the ability to go in, have a conversation with the testers, your motion alarm just went off. So you get the opportunity to work with those folks and get answers, ask questions. Hey, can you double check this? And well, that type of thing, more interchange happens on a penetration testing engagement. So that remediation, validation, which is often required for compliance, that’s something that you’ll want to do as you’re going through your penetration testing. So yeah, that about covers the high level for pen testing and what it’s all about.
OK, so I mean, what can it cover then, I guess?
So pen testing covers like literally a myriad of things. So I’m going to keep it to kind of the core elements first. So in keeping in mind, any of these items can get done externally or internally. Again, with penetration testing, yes, you want to do both of those, because for the same reasons that we were just talking about with the vulnerability scanning, you want to take a look at the inside of the network and really get the smarts of a security engineer in there. It’ll cover things like the network layer, web applications and websites, especially those which, let’s say that you’ve got some type of a web portal that has a login, as an example, on a penetration testing engagement, you’d be able to provide credentials to the tester so they can get in behind the login screen. That way you’ll know if you’ve got an authenticated user on your web portal, now what things can they get into, do, see, et cetera. These days, you almost have to run under the guiding assumption. Somebody’s going to be able to get behind the walled garden access to the web application and when they do, what types of things can be seen there. Certainly, there’s a level of depth for web services and APIs, I was saying earlier, that it’s kind of like a technical solution for both transmitting and receiving data between parties. You can go in and do that type of testing. You can also do testing validation of wireless systems through a penetration testing engagement as well. So there’s a number of elements that would typically fall into the core offerings.
And depending on the testing firm, they’ll typically want to layer in or offer several other various things. Things like social engineering, email phishing, physical access validation and so it just depends on the capability of the testing company. One of the things that I would recommend, certainly if the listener is at an organization where you are kind of easing into this for the first time, I would definitely recommend just keep it focused, do penetration testing over vuln scanning because you gain several advantages which actually I’m kind of leaping into the next topic. So I’ll pause for getting ahead of myself.
Well, no, I mean, go ahead at this point in time.
Yeah, well, like the why is, you know, pen testing better than vulnerability scanning? You know, literally, you get full coverage. You’ve got, you’re covering your, you could, depending on the scale scope of your penetration testing engagement, you’d be doing things like covering all of your production systems, covering any development systems, your corporate office, sales outposts, testing of like select remote workers, your wireless systems, web applications, you know, this is just, pen testing is an entire different league than, you know, than vulnerability scanning.
Yes, fair warning for those that don’t haven’t already, you know, kind of gone down this path. The price tag for pen testing is also dramatically higher than vulnerability scanning. That said, you know, will I typically recommend to folks that are kind of, heading in this direction? Honestly, I’d recommend, there’s a lot of organizations that want to kind of take the approach of, well, we’re going to go in and we’re going to run vulnerability scans, and then we’re going to, you know, we’ll work through all of those issues. And then at some point down the road, we’ll go in and do pen testing. And I’d honestly recommend to folks, don’t do that. Instead, take advantage of the fact that, you know, one of the, you know, advantages of penetration testing is that you’ve got real live human beings that, you know, with brains that are, you know, that are working through this, you know, that you’ve got the depth of experience that they have of going through and doing this type of testing.
And one of the biggest advantages is that reduction, it’s a really high reduction of false positive, you know, it’s not a pattern scan, right? So the security engineers going in and they’re using their head and they’re checking things, checking in three, four spots. Now this one really isn’t an issue in here. So why? Okay, great. And knock it off the list, et cetera. So, you know, to give you, to give you an example, I had an organization some years ago that they basically popped out of the woodwork because they had run and they had run an internal vulnerability scan and had received a 1,500 page report that popped out of their scan, out of their vulnerability scanner and basically threw their arms up and they were like, oh, and so I said, look, you know, we could pour through this 1,500 page, you know, blah, blah, blah. And this could literally take us, you know, take, take months to cook through or, you know, let’s just move over and do the pen testing. And, you know, that way we can figure out of this 1,500 pages, what stuff’s real, not, you know, boil it down, et cetera. And the coolest part was the resultant kind of internal penetration testing report that ended up coming out, identified something akin to 25 to 30 different issues and then mapped it all out against the target systems, right?
So it’s just a different view, right? A vulnerability scale is going to go look in S system and it’s going to last, you have the, all of these vulnerabilities, right? Well, it was just basically, it was the elimination of the false positives and the consolidation something that’s manageable that allowed them to kind of be able to make sense of it, if you will. So that was just, you know, kind of a huge advantage for that particular organization.
Okay well let’s talk about the other side of the coin here. What are the pitfalls of penetration?
Well, you know, I actually ran a I’ve been involved in in pen testing for probably 15 or so years. And actually, at one point, they ran ran an organization doing doing deep dive pen testing. And, you know, really before before a lot of those requirements came out about how you should do penetration testing, and you know, what are the appropriate things that you should include and do and what marks do you have to hit and how do you do it properly? I’m not kidding.
And even today, it’s still it’s the wild pen testing is like the wild west of security testing. It would be the best, the best, the best general, you know, overview. The reason is, is that, you know, everybody tries to go and get their own kind of competitive advantage, right. And so, you know, you’re gonna, you’re gonna see everything from some companies that are hawking these, you know, penetration some using my finger air quotes penetration scans, you know, which basically, they’re not much more than just a glorified vulnerability scan, you know, with whatever, sniff the reporting and assurances that this, you know, flashy look and feel vendor is, you know, is hawking, you know, for pennies on the dollar compared to doing a, you know, compared to doing a penetration testing appropriately. Um, you know, so that’s kind of I almost call that at the low end of the scale is the is the folks hawking the penetration scans. At the other end of the spectrum, you’ve got, um, you know, you’ve got it, you get this feeling, right, as you’re dealing with the company, you’re, you know, the kind of that sleazy feeling is they’re trying to jam all sorts of services down your throat, right? You know, kind of that car salesman feel is what you can, you kind of wash yourself afterwards, you know, where they’re, they’re trying to sell you this and sell you that and sell you that, or we could throw in this other thing. And oh, by the way, we could, you know, go ahead and get an entire team of people that could come and sit in your office for three weeks solid and, you know, and then we’ll of course, we’ll have to house them and feed them and, you know, why don’t we have to pay for flights and you know, and blah ninjas will be dropping out of the ceiling tiles for testing and yada, yada, yada, yada, right.
And so, you know, there’s there’s just there’s a just a ton, there’s a ton of both variability. And the other the other interesting part, you know, having experienced numerous organizations, and they’re doing a penetration testing, it, you know, there’s there’s also just a range, a range of capabilities, it’s kind of, it’s kind of wild if you’re if you’re just walking into this cold, and, you know, go googling penetration testing companies, I mean, there’s going to be a very wide spectrum of capability that you know, which is that you know, the net result, and the problem for the, you know, kind of the every man, your every woman is that you don’t have any idea if you know, if this one that I googled is better than that one, I’m sure I could go in and look at review sites and blah, blah, blah, but you know, how much of that is reality. So it’s just it’s a, it’s kind of a different, a different animal.
And honestly, good, you know, finding good pen testing is a wee bit of a problem, if you will, even still
Well, I guess, I mean, that kind of begs the question then for a company seeking penetration testing, like, what would you recommend for, you know, as far as approach is concerned?
Well, you know, for somebody that’s kind of going into, you know, kind of going into this arena and trying to, you know, trying to go in and identify an organization for pen testing. So a couple of different recommendations. Number one, contact somebody that, you know, that knows something about the space that is, you know, has done it, has used, you know, use companies, hopefully somebody that’s used, you know, several companies, you know, but somebody that, you know, that, you know, and trust and get recommendations from them. You know, word of mouth, you know, your experience, you know, those are all things that will kind of play into it.
You know, the, the, the pen testing companies are not that much different than a lot of organizations in the security and compliance space in that, in that they’re really busy. You know, I mean, you may go find somebody that’s really good, but they can’t do a penetration test for 16 weeks, you know, you know, you might find somebody that’s, you know, really, really, really expensive that the socks and they can do it tomorrow. You know, you know, they might find somebody that’s cheap that can do it tomorrow. So, you know, certainly getting somebody that, you know, talk them through, what was your, what was your process like? What was the approach that they, that they leverage? Did they do what they said when they said they would do it? Were they, did they have their act together? Did they deliver their reports on time? How’d their reports look? You know, were they, were they good and easy to, easy to leverage? Was it a, you know, kind of a clean interchange, you know, that type of thing. There’s a lot of things you can kind of get into, but generally speaking, when you’re going in and, you know, kind of going back to that, you know, kind of prior example of the, you know, they got the companies at the one end with the pens, penetration scan. You got the other ones with ninjas falling from ceiling tiles. You know, you can imagine, right? With that range of, of effectively associated effort with what they’re actually doing to go execute, you’re gonna end up with a range of pricing. So just for kicks and giggles at one point in the game, I literally took the same scope, the same scope, like same number of external this and the same number of internal that. And I went to three different companies and one was more in the pen scan. One was more in the ninjas fall from ceiling tiles and one was somewhere in the middle. And I’m not kidding you. The pricing was just staggering the differences. So, you know, in one case I was getting a, I don’t know, it was like 4,500 bucks or something for the pen scan. I had 45,000 bucks for the ninjas falling from ceiling tiles. And then the one that was getting in that mid range arena, you know, was somewhere in the, you know, somewhere in the, you know, kind of 12 to 16 grand area, you know?
So, you know, as you’re looking at, looking at pricing and especially for those that are just kind of walking into this space, I can’t tell you how many companies I’ve seen where whoever it is, you know, get sticker shock and instantly just grabs the one that they did. They, whatever it is, it’s the one with the lowest price go, right? And it, don’t take the lowest price. Don’t do it.
You, because here’s the deal. You might as well, if you’re going to take the lowest price pen tester, then you might as well spend a quarter of that and go do vulnerability scanning. You know, because basically you’re going to land up at the same thing, you know, short of all of their marketing baloney from the pen scan, you know, style companies, you know, so to start, say, take somewhere in the middle, you know, you know, based on your field, based on your recommendations, all that fun stuff, that middle of the road approach, it’s typically a good mix of approach and process and efficient delivery model. They’re not, there’s no reason why you, okay, not no reason for anybody that is just kind of dialing in on the technology stack. There’s really no reason that they have to sit there in your office and you know, be running things from there. They should be able to do everything remotely.
Boom. There’s a whole swath of costs that get locked out of it. But you know, you just want to take somebody, it’s kind of got a reasonable middle ground approach and process with efficient delivery, not bringing people on site, et cetera. Then you’re going to land up with kind of that, you know, whatever, from the, from the scan to the ninjas, you’re going to probably end up somewhere in the belt, the one third away from the, you know, one, one third up the scale away from the scan and you know, still got two thirds before you get to ninja level, you know, type of thing. And you know, the other, the other piece of it is, you know, is that the, to look out for, if you will, is when you’re going through on your first time, you know, kind of first time running through, you know, a lot of these companies are wanting to go fold in, you know, fold in, you know, phishing, email phishing, great example, or so, or social engineering, you know, and they’ll, they’ll talk it all up and blah, blah, blah. But you know, here’s the deal at the end of the day, you’ve got a company that’s just getting into this space for, you know, for security and compliance, unless you just need to, the most important part is get your hands around like, what are my real problems? Yeah. What are my actual gaping holes? And from a technology perspective, that should be the first step.
I almost look at phishing and social engineering. Well, it’s got its place. Yeah. You know, it’s also, it’s almost kind of like for, especially for an inexperienced firm, it’s like taking candy from a baby.
So why pay for them telling you something you already know, which is that, you know, we’ve got a lot of growth to do, right? Let’s get, let’s plug all the holes first. And then as the, as the organization becomes mature and seasoned and whatnot, you know, then let’s go ahead and start folding in, you know, dialing up the heat, if you will. You know, so, so take a, you know, kind of a middle mid range approach there too.
The last piece of, you know, kind of recommendation on approach is, you know, there’s a lot of organizations out there. So, you know, when I talk about, I’m going to tell you, I’m going to kind of explain remediation testing for a second. So remediation testing is. You’ve gone in and you had your penetration test done. They said that you had 25 vulnerabilities externally and internally that you need to go get addressed. And so what remediation testing is, is the company goes in, addresses those issues and goes back to the testing team and says, hey, I’m ready for you to go in and, you know, for you to go in and double check that this is, you know, this is actually closed. Remediation testing is required for most of the security compliance standards out there, you know, and whatnot.
Now, back to the, you know, what I was gonna recommend. If you think about it this way, penetration testing companies are dealing with organizations that are in a broad range of capability, everywhere from what’s a pen test to we’ve been doing it for a decade. And so they have to kind of account for the brand new company that’s gonna have 2000 vulnerabilities, that’s gonna take a boat ton of time to go through all the remediation testing. So oftentimes you wanna be careful of those that are just either folding in remediation testing or that put in some type of like a limit on the penetration testing. So, you know, a lot of these companies, and I get it, they’ve gotten burned, right? So it can’t be a never ending story of sure, we’ll just keep burning resources and whatnot. To go do 85 million rounds of remediation testing when the client doesn’t take it seriously, doesn’t fix their stuff, whatever. So, you know, to that end, you know, we’ve got, you know, you wanted to basically look for an organization that, you know, taking a good approach for the remediation testing, preferably, if you can get a good recommendation of an organization that will just kind of handle the remediation testing hourly, that’s often a better deal for the organization that’s going through it, you know, versus, you know, walking in blind with some cap limit on, we’ll do one round of remediation testing and we’re gonna give you, you know, 10 hours of time, you know, whatever it may be, or somehow they bound it or limit it, right? We’ll clear this many issues or we’ll, you know, limit it for this period of time. If you don’t know walking in, are you gonna have, you know, you’re gonna have 2000 vulnerabilities or 20, you know, is this approach to, you know, to the agreement, is this gonna turn into a black hole, you know, type of thing?
You know, that’s kind of the, you know, kind of the concern. So, you know, just be careful.
You don’t want, especially for those that just, quote, fold it in, you know, they have to allocate for the companies that don’t have it together. So if your organization sort of does, then, you know, you’re gonna basically end up paying for the sins of the other people that haven’t been taking their security seriously, right? And so, you know, that’s just something from a pricing perspective. If that remediation is kind of set off to the side, now you can get apples to apples on the actual test. And then you can see what’s it gonna take to go get my remediation done. It’s just a better way for the target organization to go in and look at that, at that, the comparative of company, you know, the pen testing scan company versus the middle of the road company versus ninjas falling from ceiling tiles. The only thing you’ve got is just the pen testing. In there, now you’ve got a much better chance of getting an apples to apples comparison.
That makes a ton of sense. Gosh. I think that checks all the boxes out. Sweet.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
