Application Risk Profiling

The Challenge

A longtime client had already identified the need to conduct regular application security assessments against their extensive suite of applications in order to meet an executive mandate. The following year, once the initial round of testing had been executed, the client had to fit their testing budget against a growing list of applications. It quickly became evident that the assessment services budget would not be able to cover all applications, and hard choices would have to be made.

The Solution

Security Compass deployed a client-trusted consultant to guide the client in prioritizing applications to schedule for assessments. The process involved:

  • Querying application repository databases to collect a comprehensive list of the organization's applications across different platforms and delivery channels.
  • Engaging the client security team and PCI team to derive the organization's compliance drivers.
  • Facilitating work groups to classify data associated with applications.
  • Deriving a prioritization scoring system that takes artifacts produced from the above applications and can be applied to all applications.
  • Integrating an assessment schedule for all applications so that a given application is assessed according to its risk profile and its compliance mandate.

The Results

Our application profiling and prioritization projected resulted in a documented assessment schedule that was applied to ensure that all high-risk, or "Priority 1 and 2" applications, were assessed in time and under budget. The client now employs the repeatable risk profiling strategy to all newly developed applications and revisits these profiles annually to ensure proper budget and resource allocation, while achieving maximum testing coverage of their most critical applications.

Network Penetration Test

The Challenge

Subsequent to a security incident, a software development company sought an external network penetration test in order to identify other potential avenues of exploitation that could facilitate access to the company's IT infrastructure.

The Solution

To meet the client's goals for the network penetration test, Security Compass proposed the following solution:

A time-boxed external network penetration test against a representative subset of systems of various profiles.

The Results

The assessment team identified critical vulnerabilities that lead to the compromise of a public software repository, the organization's cloud presence and access to the organization's internal network. As systems were compromised, the assessment team elevated privileges and exploited trust relationships between systems gaining access to subsequent systems and infrastructure. The deliverables included a detailed technical report documenting the various vulnerabilities and tactical remediation measures, as well as an executive report containing strategic recommendations for systemic problems and a number of security initiatives to improve the company's security posture.

Subsequent to the network penetration test, the assessment team produced a bespoke slide deck entitled "Attack Patterns and Defense" geared towards helping defenders think more like attackers. The content was comprised of various strategies employed by attackers and supported by practical video-based examples taken directly from the recently completed penetration test. The presentation was delivered to both engineering and architecture personnel.

Mobile Security Assessment

The Challenge

This project involved evaluating the security posture of a new release of a client mobile banking application. The application had to be evaluated on several platforms, and across the presentation, logic, and data tiers. All of this was performed under a tight time constraint.

The Solution

In order to evaluate the application across several tiers, Security Compass combined runtime penetration testing and source code review of both platforms concurrently. By performing source code review and penetration testing at the same time, Security Compass was able to utilize results from each phase to help the other. Findings were presented to the client at the end of each business day.

The Results

Security Compass was successful in identifying vulnerabilities across all platforms and tiers tested. By parallelizing testing efforts Security Compass was able to complete the project before production deadlines and provide the client's executive team with an in-depth report covering the business risks of the vulnerabilities identified. The successful project led to future mobile engagements with the client.

Remediation Guidance

The Challenge

The client leveraged an existing, long-term relationship with Security Compass to assess an extensive collection of their applications on an annual basis. However, the sheer breadth of the testing scope resulted in the discovery of hundreds of vulnerabilities, several of which were deemed critical-risk. The task of remediating these vulnerabilities in a timely fashion soon became overwhelming.

The Solution

Security Compass deployed a remediation consulting staff augmentation that consisted of the following activities:

  • Establishing and finalizing a remediation policy so that high, critical, and urgent-risk vulnerabilities are resolved in a timely fashion.
  • Liaising with development teams post-assessment to review vulnerabilities and their remediation solutions.
  • Interacting with development teams to draft a remediation plan to address vulnerabilities and adhere to organizational policy.
  • Developing metrics to track remediation progress and to communicate the organization's vulnerability landscape to executives.

The Results

Security Compass' remediation service helped the client reduce the average age of open vulnerabilities from 142 days to 90 days, achieving their milestone. Furthermore, the fix rate of security defects doubled over the course of this project.

Application Runtime Security Assessment

The Challenge

The client is a leading regional medical research institute required by law to have policies, practices, and procedures in place to protect the privacy of the data it stores, processes, and transmits. In addition, the organization is subject to a privacy audit once every three years by the regional government. The auditors not only assess compliance with regulation, but they also pay careful attention to the organization's approved policies, practices, and procedures.

One of the applications in the client's portfolio transmits private healthcare data across the Internet. The institute engaged us to help them meet appropriate security and validation measures ensuring that only authorized users could access private patient data.

The Solution

Security Compass performed a thorough web application assessment, focusing on restricted access to Private Information (PI) and Private Health Information (PHI) at rest and during transmission. The assessment primarily consisted of the following activities:

  • An in-depth, combined automated and manual code review to highlight any current vulnerabilities.
  • A proprietary Security Compass technique called Framework-Level Threat Modelling. The output of this activity included a catalogue of existing security features and missing controls in the framework.

The Results

The assessment revealed numerous holes in the application's security controls. We highlighted significant risk to PI/PHI and helped the development team address remediation, resulting in full regulatory compliance for the institute. We also created a customized executive presentation for the regional auditing body. Security Compass and this healthcare organization remain trusted solution partners in the delivery of annual information security assessments.

Security Requirements Gathering

The Challenge

The client had an ongoing desire to address security earlier in their SDLC process. The volume of application security assessments, executed via automated and manual runtime vulnerability assessments and static code analysis, resulted in hundreds of vulnerabilities. Many of these vulnerabilities were common across applications and could be eliminated by adhering to secure coding practices and thorough requirements gathering.

The Solution

Security Compass deployed a client-trusted consultant in a staff augmentation role to draft a baseline set of secure web application requirements. The elicitation of these requirements involved:

  • Engaging the client's security team to derive the organization's compliance drivers.
  • Liaising with business analysts and management to capture the organization's key business drivers.
  • Leveraging years of experience to decipher the current threat landscape.
  • Working with the existing security team in facilitated work sessions and focus groups to derive an initial list of baseline security requirements.
  • Prioritizing these requirements according to an application's business function and risk profile.
  • Identifying the SDLC phase at which a given security requirement can be implemented and verified.

The Results

Our security requirement derivation service resulted in an extensive, baseline list of web application security requirements that the client can leverage to draft custom security requirements for future applications. Pilot projects were chosen to incorporate security requirement elicitation into their upcoming releases. And, as a result, these projects received an A-letter security grade when they were penetration tested prior to go-live.

Threat Model Express and the Energy Sector

The Challenge

An independent energy corporation identified the need to conduct a security assessment project producing a comprehensive measurement of the effectiveness of cyber security controls by reviewing their system operating environments, organizational structure, and constituent application components. The scope of the project included six (6) major nodal systems and subsystems that covered over 1,000 web pages, 16 different market roles, and data interfaces that consisted of 150 message types through 50 operations.

The Solution

Security Compass deployed two of its most experienced consultants to assess all applications in scope, and their surrounding environments, by implementing a multi-phased solution that began with threat modeling express. The process involved:

  • Connecting with the organization's stakeholders to identify the business goals and drivers behind the assessment.
  • Engaging architects and domain experts to gather information about the applications and the organizational architecture.
  • Facilitating a threat model express for each application to derive a prioritized list of technical and business logic threats.
  • Using the threat model output as input into runtime vulnerability assessments of the nodal systems and subsystems.
  • Knowledge transfer of the threat model express process and assistance in remediating identified vulnerabilities.

The Results

The threat modeling and runtime vulnerability assessments uncovered over 30 vulnerabilities, over 40% of which were critical or high-risk. Almost one-third of the discovered vulnerabilities were business logic related and their discovery can be directly attributable to the threat model express. The client was thoroughly briefed on the impact of these vulnerabilities and our consultants assisted in their remediation. The success of this project has led to multiple re-engagements of our consultants with this client to assess mobile applications and conduct training.

Wireless Network Assessment

The Challenge

A Large Insurance Company sought a wireless network security assessment in order to enumerate possible threats to the organization introduced by their wireless infrastructure.

The Solution

To meet the client's goals for the wireless security assessment, Security Compass proposed the following solution:

A multi-site wireless network assessment designed to reconcile all discovered wireless access points against an implemented solution; as well as the identification and localization of anomalous access points, and a review of the configuration of these access points against company standards and information security best practices.

The Results

The assessment team performed a wireless network assessment at each of the satellite office locations, identifying several unauthorized wireless access points as well as a number of configurations that contravened local security standards.

The assessment team produced a report that included heat maps indicating where the various access points were identified within the office space, as well as distinct findings for the misconfigured and unauthorized devices, accompanied by photographic evidence for the latter.

As unauthorized devices were identified, the assessment team communicated the findings in near real time to local technical resources in order to provide an opportunity for tactical remediation. Where deviations from corporate standards were identified, the assessors sought further details and clarification that were used to furnish the findings in the report.

Where practical exploitation of weak configurations was deemed feasible, the assessment team proceeded to compromise the access points and gain access to the internal network, while recording the process in order to assist in communicating the severity and impact of all findings.

Wicket Framework Analysis

The Challenge

Wicket, by Apache, is a component-based web application framework for the Java programming language. A Major Pension Company needed to evaluate the benefits and drawbacks of introducing this technology in two of their internal web applications.

The Solution

The Security Compass team started off by obtaining an understanding of the applications' environment and their security requirements by interviewing the development and security teams during onsite visits and reviewing the system documentation.

Then they performed a thorough research on the Wicket framework, focusing mainly on the security requirements that related to the client.

The team prepared a detailed analysis of the framework, listing all security strengths (for example component level authorization), and weaknesses (for example no advanced built-in authentication feature).

The Results

For this client, Security Compass went one step further and evaluated how the new technology would affect the vulnerabilities that were found in the two applications during a recent vulnerability assessment, and provided a vulnerability analysis for each application.

Application Source Code Security Assessment

The Challenge

This financial institution developed their main transactional application on a proprietary framework. The combination of the lack of framework documentation and the large number of developers working on the application resulted in a high likelihood of security vulnerabilities. Migrating to a more robust industry-proven framework would require too much effort. The client engaged Security Compass to assess the state of the application and provide recommendations to improve the framework's security posture.

The Solution

Security Compass designed and carried out an assessment consisting of two major components:

  • An in-depth, combined automated and manual code review to highlight any current vulnerabilities.
  • A proprietary Security Compass technique called Framework-Level Threat Modelling. The output of this activity included a catalogue of existing security features and missing controls in the framework.

The Results

Security Compass drew on the strength of its resources to design and execute a plan customized to the client's requirements. The source code review revealed numerous business logic flaws scattered throughout the application's use-cases including ones that could be used to bypass authentication. The Framework-Level Threat Model further revealed systemic security flaws within the underlying framework. We made multiple recommendations to incorporate key security controls directly into the existing framework, reducing the risk of inadequate controls in future development. As part of the Framework-Level Threat Model, the team also delivered thorough documentation on the framework, highlighting components responsible for security controls. The financial institution is now distributing the security documentation to all new developers as part of their ramp-up process.