security code review case study - we45
TRANSCRIPT
-
we45s Web Application Security Solutions
Web Application Vulnerability Assessment and Penetration Testing
Secure Software Development Lifecycle Implementation and Consulting
Application Security - Code Review and Walkthroughs
Web - Product Security Consulting and Design
-
Security Code Review - Case Study
Fortune 100 Bank and Card Payment Brand engaged with we45
They were pursuing PCI Compliance for operations in the APAC region
Key Challenges - Application Security Requirements - Compliance with PCI-DSS Requirement 6
-
Key Objectives
Increase Developer Awareness with Web Application Security Training
Perform Comprehensive Security Code Reviews for Custom Applications developed and deployed on various platforms
Create Detailed Security Code Review Reports and Design Remediation Strategies and Action Plans
-
The we45 Approach
-
Training - we45 Certified Web App Security Professional
we45s Acclaimed Certified Web Application Security Professional Program
Two-Day Hands-on, Intensive Web Security Training Program for Developers, Architects, Project Managers and Security Managers
Replete with Case Studies, Hands-on Exercise, Vulnerable Web Application Exercises and other material
Assessment Exam at the end of the Training - with Certification
-
Application Security Risk Assessment & Threat Modeling
we45s Security Experts performed Application Security Risk Assessment for the clients in-scope applications.
Risk Assessments are critical in identifying security requirements and providing for prioritization of security implementation
we45s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development
Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
-
Application Security Risk Assessment & Threat Modeling - 2
Application Security Threat Modeling - Critical in identifying potential attack scenarios
Identified Trust Boundaries for the in-scope Web Apps
Extremely useful for Code Reviews, Security Testing and Application Security Documentation
we45s Security Experts perform Threat Modeling based on Microsofts renowned STRIDE Methodology
-
we45 Security Code Review
Hybrid Methodology - Automated and Manual Code Review for 30 in-scope web applications
we45s Security Experts developed special scripts and tools to identify Security Flaws
Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines
Security Flaws from a PCI perspective were also evaluated
-
Review & Presentation
Findings presented to Developers, Project Managers and CTO
Findings were explained in detail by we45s Security Experts
Findings were prioritized and agreements on remediation were reached
-
Analysis & Reporting
we45 prepared a detailed Security Risk Assessment and Code Review Report
Report was ranked by severity of findings.
Findings were referenced with Industry metrics like CWE, CVE and so on.
Examples were provided as code-snippets with line number information
Multiple Recommendations and Remediation Strategies were provided
Executive Summary and Action Plan prepared for Management Action
-
Results & View into the Future
Results:
Client achieved PCI Compliance and Certification
we45 Approach of Risk Assessment and Code Review - Lauded by the PCI-QSA
Developer Security Training - A Model for other Development teams in the company
The Future:
we45 is the trusted Application Security Partner for this client
Extension of we45s services to PCI Continuing Compliance Consulting
-
we45s Web Application Security Solutions
Web Application Vulnerability Assessment and Penetration Testing
Secure Software Development Lifecycle Implementation and Consulting
Application Security - Code Review and Walkthroughs
Web - Product Security Consulting and Design