The Problem
JUMPSEC WAS CONTACTED BY A LARGE RETAILER IN THE PROCESS OF DRIVING SALES ONLINE, AND AS SUCH, HAD AN AGGRESSIVE SOFTWARE DEVELOPMENT PLAN IN ORDER TO ACHIEVE THIS. THE NATURE OF THE ENGAGEMENT WAS TO CONDUCT WEB APPLICATION TESTING AGAINST THE COMPANY’S APPLICATIONS PRIOR TO THEM GOING INTO PRODUCTION.
AS A RESULT OF OUR TESTING, HIGH RISK SECURITY ISSUES WERE CONSISTENTLY IDENTIFIED IN THE APPLICATIONS’ LOGIC WHICH REQUIRED ON AVERAGE, A SIX WEEK REMEDIATION PROCESS AND DELAY TO RESOLVE. THIS WAS A SUBSTANTIAL DEVELOPMENT OVERHEAD, AND CAUSED SIGNIFICANT FINANCIAL IMPACT AND DISRUPTION TO THE HARD BUSINESS DEADLINES.
The Solution
To address this problem, JUMPSEC worked with the Client to embed security into the development lifecycle. This work took the form of a series of workshops, reviews and the implementation of enhanced security practises during development lifecycle as follows;
Defining security objectives alongside the business objectives
This was conducted as a short workshop using trusted risk assessment methodologies to establish the business criticality and sensitivity of the system as well as the data it would hold. Key areas of concern were noted, relevant legislation and standards (such as the Data Protection Act and PCI DSS) were also identified. The security objectives were then clearly defined and ratified, and could be stated in the programme plan.
Performing early stage threat modelling
Threat modelling was conducted when functionality had been defined and use-case scenarios were documented. At this stage, only a small amount of coding had taken place and it was still possible to make decisions as to what framework and technologies would be finally employed. By combining the use-case scenarios with the security objectives from the previous stage, a trust model was created, mapping out all the trust boundaries, and defining their significance. A security architecture was then defined and coding guidelines drawn up for the security model of the application.
Conducting training and knowledge transfer workshops
In order to effectively utilise the coding guidelines it was necessary to ensure that the development team was comfortable working with them. A workshop was run with the development team to promote awareness of the security concerns, and discuss effective ways of implementing the guidelines without compromising the business efficacy of the application. This workshop ensured the effective transfer of knowledge between the JUMPSEC security experts, and the project development team.
Performing early stage testing and code review
As soon as early stage code became available, reviews were conducted to ensure elements such as the authentication and authorisation modules were aligned with the security needs, and address any issues identified at this early stage.
Being on call as an expert security resource throughout the project
Throughout the project, JUMPSEC where on hand as a virtual security programme resource to answer questions, take part in debate and offer insight.
Conducting a thorough pre-production security assessment
When the final security assessments were conducted, there were no significant vulnerabilities identified within the application logic. Some low impact issues would be identified with the web server deployment; however these did not represent a significant time or cost impact to resolve.
The Result
The Client now has an effective development lifecycle, with security being well integrated into the programme from the earliest stage. Due to this increased visibility, the Client is able to plan effectively for marketing events, holidays, and other deadlines which affect their business. Projects are delivered to deadline; issue remediation has been cut down to an average of 5 days and is now a planned component of the programme.