code4thought

SOFTWARE QUALITY

Technology Company -
Proactively securing a critical public
facing system from the inside out

CASE STUDIES > SOFTWARE QUALITY
The Challenge
A major tech company deployed a public-facing system critical to its operations. The system was developed by two separate vendors, introducing communication complexity and potential security risks. The company sought to gain deep insights into whether the system adhered to industry-recognized secure coding best practices and was built with “security by design” principles in mind. This was crucial to proactively detect and address application related vulnerabilities as early as possible in the development lifecycle.
Key Challenges:
Multi-vendor development: Ensuring consistent adherence to secure coding best practices across teams from different vendors.
Early vulnerability detection: Identifying and remediating vulnerabilities before attackers could exploit them.
Cost optimization: Minimizing the cost of fixing vulnerabilities by addressing them early in the development process.

Continuous Security Monitoring

To address the multi-faceted challenge of ensuring secure coding best practices and early vulnerability detection, C4T/SIG implemented a comprehensive application security monitoring program leveraging the Sigrid platform. This solution provided continuous insights, expert guidance, and automated analysis, empowering the development teams to build secure systems through continuous feedback.

Onboarding and Baseline Assessment

The 1 month long onboarding process began with onboarding the teams into the Sigrid security stream, followed by a dedicated technical session. More specifically:
Team Onboarding: The C4T/SIG team first onboarded the company’s development team within the Sigrid security stream. This involved training and familiarization with the platform and secure coding best practices.
Technical Session: A collaborative session was held to understand the application’s purpose, identify sensitive areas, and validate the systems logical view within the organization. This provided a foundational understanding of the critical and sensitive areas within the application that would need prioritization.
Initial Software Security Analysis: Our experts performed a comprehensive analysis through combining Static Application Security Testing (SAST) and secure code review activities in order to identify vulnerabilities and potential security weaknesses within the application.
Findings and Mitigations: The findings were presented to the team, validated, and accompanied by actionable advice for remediation. This initial assessment established a baseline security status for the application.

Continuous Monitoring

Once the onboarding process established a baseline security status, the system entered the continuous monitoring phase. This crucial stage included:
Automated Analysis: The Sigrid platform continuously monitored code changes and dependencies. Software Composition Analysis (SCA) automatically scanned for vulnerabilities in external libraries.
Semi-Automated SAST: A static application security test (SAST) was conducted on every new upload, but with a crucial twist. C4T/SIG experts filtered the results, eliminating false positives to ensure developers receive only actionable findings.
Manual Code Review: Expert consultants conducted in-depth code reviews using the SIG Security model based on ISO25010. This aimed to identify missing security countermeasures and analyze existing ones for their effectiveness.
Communication and Remediation: Findings from both automated and manual reviews were promptly communicated to the development and security teams, along with recommended mitigations. This facilitated prompt remediation and improved overall security posture.
C4T/SIG delivered tangible results, improving the company’s security posture and empowering its development team.

Key Vulnerabilities Identified

The solution effectively detected several critical vulnerabilities that are included in the OWASP Top 10 Application Security Risks:
Security Misconfiguration (A05:2021): Improper system configurations were identified and rectified, reducing attack surfaces.
Vulnerable and Outdated Components (A06:2021): Outdated libraries and dependencies with known vulnerabilities were replaced, mitigating potential exploits.
Security Logging and Monitoring Failures (A09:2021): Gaps in logging and monitoring were addressed, enhancing the ability to detect and respond to security incidents.
Cryptographic Failures (A02:2021): Improper use of cryptographic algorithms and functions was corrected, strengthening data protection.
Injection (A03:2021): Vulnerabilities allowing attackers to inject malicious code were identified and closed, preventing unauthorized access.

Tangible Benefits

By leveraging C4T/SIG, the company achieved a more secure and efficient secure development process. Our solution empowered its development team with actionable insights, leading to a significant improvement in the security posture of their public-facing system.
100% Fixes for Critical Vulnerabilities: All identified critical vulnerabilities were successfully remediated, significantly reducing the system’s attack surface and potential security risks.
Enhanced Security Posture: The development team gained a deeper understanding of secure coding best practices and implemented them more effectively, leading to a stronger overall security posture.
Increased Security Awareness: The continuous feedback loop raised awareness of security issues among developers, fostering a culture of security-conscious coding.
Clear Visibility into Dependencies: Comprehensive analysis of external dependencies provided a clear picture of associated risks, enabling informed decision-making about their use.

FURTHER READING