This organization was a well-established (Inc 5000) software development company that provided financial and Healthcare solutions.
Initial VAPT Assessment
The client employed 260+ IT and Software Development professionals. Their clients included high profile professional services, manufacturing companies, and government agencies who typically serviced clients in multiple industries.
The board of directors the and the executive team understood that based on their current business- critical need for their solutions and their client base, a high standard of cyber security needed to be maintained to ensure digital assets were always protected.
The board of directors and the executive team wanted to ensure that all software development followed best practices. The board of directors the and the executive team engaged Cycops to review their entire development lifecycle with the following requirements :
- Protection of Intellectual Property
- Reduce potential for supply chain
- Identify gaps in the current development
- Meet compliance requirements
Challenge
With ongoing cyber-attacks against the financial and healthcare industry, the client was concerned that this may cause widespread disruption and potential business interruption, which may affect software update releases. They need to deliver secure solutions without the risk of harm to their clients.
The client had identified risks in the development lifecycle regarding Intellectual Property, since 20% of their development team works remotely using unmanaged workstation and servers.
Approach
Cycops completed a DevOps Assessment to gain an understanding around the current DevOps approach, by looking at the following elements :
- Process Review
- Technology and automation
- Measurement
- Strategy and Flexibility
- Secure Development Environment
- Compromise Assessment
- Report Gaps
- Redesign Development Environment
Process
Cycops IT development and risk management team identified that risk to security was being considered at all stages of a project lifecycle, for a new system or changes to an existing system. Cycops IT development also take into consideration the confidentiality, integrity, and availability at a minimum.
Cycops team performed a full assessment of DevOps processes and tooling.
Cycops utilize ISO Methodology ISO/IEC/IEEE 90003:2018 – Software engineering, ISO/IEX 15408:2009 and ISO 27001 – Annex A.14: System Acquisition, Development & Maintenance.
- Process Review
- Technology and automation
- Measurement
- Strategy and Flexibility
- Secure Development Environment
- Compromise Assessment
- Report Gaps
- Redesign Development Environment
Key Findings
- No multi factor authentication was in place to access development environment.
- Malware was found on multiple systems
- API keys were accessible publicly.
- Development infrastructure was not air gapped and segregated based on development, test, and production.
- Live data was used for testing and not sample data.
- LFI and RFI issues were identified.
- No centralized location for code validation
- No validation for publicly available codes downloaded
- Codes were not peer reviewed before production.
- Codes could be checked in remotely from unmanaged system without verification.
- Multiple cases of out of work schedule unauthorized remote access to software code via a developer’s workstation.
- Multiple cases of open administrative sessions between various servers
Solution
- Provided gaps and recommendation.
- Road map and diagram proposed environment.
- Designed new development infrastructure
- Create new VDI Environment (Segregated environment)
- Implement security controls.
- Implement Jenkins (Slave and Master) and SVN plugin.
- Ensure that Jenkins securely authenticate with SVN using username and SSL certificate.
- Worked with the development team on checkout process.
- View revision number variables
- Technical documentation of DevOps environment
- Develop security development lifecycle policy based on the process.
Company Overview
Cycops an Information Security company offers high-tech solution a reliable, high-quality service in the field of Information security. Clients must know that working with Cycops consultants is a more professional, less risky way to develop in areas of information security than working completely in house with their own people. At Cycops, we work with you, helping you to identify your potential and become more innovative, competitive & efficient to help you grow exponentially in the global markets. We provide various products and services (Penetration testing, Vulnerability assessment, Wi-Fi security, designing a security architecture, Compliance testing in terms of ISO 27001, Security audit for ISO27001, Incident response in case of a security breach to name a few.) to our clients to conceptualize & visualize technology driven business transformation initiatives.
We have a Complete Service Package for Companies interested in foraying into the booming Market. We have a team of highly qualified experts to assist our clients. Today, more than ever, companies depend on growth to build a strong market value. But, as we know, growth is a double-edged sword. Growth comes only when one is secure.