Case Studies
Client
Global Payment Solutions Company
Type
Developer Training
The Challenge
In recognition of the organization's need to provide, develop, and deploy secure applications on the Internet and Intranet, the client sought assistance in providing application security training to their development and security personnel as part of a secure Software Development Life Cycle (SDLC). The training required coverage of multiple programming languages to developers around the world.
The Solution
To meet the client's goals for the training curriculum, Security Compass proposed the following solution:
- A series of instructor-led training classes on-site
- Instructor-led classes off-site via video-conference and VPN (with the training lab environment available 24 x 7 for students to experiment with the attacks after class)
- A series of computer-based training modules that the students could use on an ongoing basis, to ensure relevant staff were armed with the appropriate application security knowledge even when instructor-led training was not available
The Results
Security Compass achieved results by performing focused consulting and interactive, hands-on training, resulting in a new security-focused mentality from developers. We delivered security training for four different programming languages including Java, .NET, C, and Cobol. The post-training evaluations indicated overwhelming satisfaction and information retention from attendees. We built and deployed six custom computer-based training modules into the organization's learning management system, available to all developers across the enterprise.
Click here to learn more about Security Compass' one-of-a-kind on-site and computer-based training services.
Client
Large Financial Institution
Type
Multiple Application Runtime Security Assessment
The Challenge
This financial institution owns over 1000 domains for their various lines of business. As part of their pro-active information security policies, the client wanted to assess all Internet-facing domains for risk posed to the organization and its client data. The project would ideally consist of assessing all domains, communicating any risks, and suggesting remediation steps to the appropriate business groups. Using an industry average of at least five person-days of effort per application, the project would take close to four years to complete.
The Solution
Working together with the bank's designated security experts, we developed a custom assessment strategy to first prioritize and then assess all domains within an eight week schedule on-budget. We halved the number of domains to assess by identifying bank-owned hosting sites. We assessed the remaining domains to reduce the most amount of risk in the budgeted time. The strategy consisted of:
- Server-level assessment using automated tools and manual verification
- An unauthenticated web assessment scan of each domain using an automated scanner with a carefully refined attack set
- Manual verification and risk analysis of the findings
- Manual assessment of components not covered by the automated scanner, as well as any complex attack scenarios
The Results
During the engagement, several critical and high-risk vulnerabilities were discovered on the organization's public-facing domains. Security Compass consultants worked closely with the client's internal security and response teams to investigate the issues, as well as to guide the application owners in remediation. A complete and detailed list of over 300 low and medium-risk vulnerabilities was also delivered to the client's internal security team prior to disengagement. Security Compass consultants also identified some high-risk applications that required a more thorough review. Numerous critical-risk vulnerabilities were discovered in the authenticated portions of those applications, proving the effectiveness of the risk classification strategy used by Security Compass. This organization and Security Compass remain trusted solution partners in the delivery of information security services.
Click here to learn more about Security Compass' one-of-a-kind Application Runtime Security Assessment services.
Client
Healthcare Research Institute
Type
Application Runtime Security Assessment
The Challenge
The client is a leading regional medical research institute required by law to have policies, practices, and procedures in place to protect the privacy of the data it stores, processes, and transmits. In addition, the organization is subject to a privacy audit once every three years by the regional government. The auditors not only assess compliance with regulation, but they also pay careful attention to the organization's approved policies, practices, and procedures.
One of the applications in the client's portfolio transmits private healthcare data across the Internet. The institute engaged us to help them meet appropriate security and validation measures ensuring that only authorized users could access private patient data.
The Solution
Security Compass performed a thorough web application assessment, focusing on restricted access to Private Information (PI) and Private Health Information (PHI) at rest and during transmission. The assessment primarily consisted of the following activities:
- Checking the application environment for any sever-level vulnerabilities
- Ensuring roles and privilege levels were respected
- Evaluating use of cryptography for data at rest and in transit
- Comprehensive logging and auditability of user actions
- Validating user input for malicious data that could result in loss of integrity or confidentiality of data
- Anti-automation and end-user protection measures
The Results
The assessment revealed numerous holes in the application's security controls. We highlighted significant risk to PI/PHI and helped the development team address remediation, resulting in full regulatory compliance for the institute. We also created a customized executive presentation for the regional auditing body. Security Compass and this healthcare organization remain trusted solution partners in the delivery of annual information security assessments.
Click here to learn more about Security Compass' one-of-a-kind Application Runtime Security Assessment services.
Client
Major International Financial Institution
Type
Application Source Code Security Assessment
The Challenge
This financial institution developed their main transactional application on a proprietary framework. The combination of the lack of framework documentation and the large number of developers working on the application resulted in a high likelihood of security vulnerabilities. Migrating to a more robust industry-proven framework would require too much effort. The client engaged Security Compass to assess the state of the application and provide recommendations to improve the framework's security posture.
The Solution
Security Compass designed and carried out an assessment consisting of two major components:
- An in-depth, combined automated and manual code review to highlight any current vulnerabilities
- A proprietary Security Compass technique called Framework-Level Threat Modelling. The output of this activity included a catalogue of existing security features and missing controls in the framework.
The Results
Security Compass drew on the strength of its resources to design and execute a plan customized to the client's requirements. The source code review revealed numerous business logic flaws scattered throughout the application's use-cases including ones that could be used to bypass authentication. The Framework-Level Threat Model further revealed systemic security flaws within the underlying framework. We made multiple recommendations to incorporate key security controls directly into the existing framework, reducing the risk of inadequate controls in future development. As part of the Framework-Level Threat Model, the team also delivered thorough documentation on the framework, highlighting components responsible for security controls. The financial institution is now distributing the security documentation to all new developers as part of their ramp-up process.
Click here to learn more about Security Compass' one-of-a-kind Application Source Code Security Assessment services.
Client
Major International Financial Institution
Type
Software Development Life Cycle (SDLC) Assessment
The Challenge
The client was developing multiple web applications using a poorly documented Software Development Life Cycle (SDLC) process. Their waterfall-based SDLC resulted in undesirable time-to-market and a large number of security vulnerabilities deployed to production. The client's management developed a pro-active security mindset and focused on the SDLC as the best place to improve the organization's overall application security posture.
The Solution
Security Compass developed a custom Agile, SCRUM-based SDLC featuring key security enhancements including:
- Implementation of a code review policy with secure coding standards
- Implementation of Threat Modelling
- Security unit testing required for new/updated code commits
- Continuous integration and smoke test server
We also outlined recommendations on how to realign existing development practices with the proposed process. Security Compass provided further added value by prioritizing the recommendations and articulating the benefits provided by each change.
The Results
Although the engagement is still in progress, Security Compass has developed and delivered a comprehensive document describing the new Secure SDLC process, with template documents and deliverables that can be used right away. The next milestone was to create secure coding guidelines, both language specific and with modules for the client's specific framework. These documents and an accompanying checklist are currently being used as part of a new code review process in the SDLC. Security Compass has since strengthened their relationship with this organization and now plays the role of a trusted security advisor to the VP of Development.
Click here to learn more about Security Compass' one-of-a-kind SDLC Assessment and Enhancement services