Financial Software Developer Secure Infrastructure Case Study
Organization
This organization was a well-established software development company that provided financial solutions.
The client employed 460+ IT and Software Development professionals. Their clients included high profile professional services, manufacturing companies, and government agencies who typically serviced clients in multiple industries.
The board of directors the and the executive team understood that based on their current business-critical need for their solutions and their client base, a high standard of cyber security needed to be maintained to ensure digital assets were always protected.
The board of directors and the executive team wanted to ensure that all software development followed best practices. The board of directors the and the executive team engaged CyberSecOp to review their entire development lifecycle with the following requirements:
· Protection of Intellectual Property
· Reduce potential for supply chain attacks
· Identify gaps in the current development lifecycle
Challenge
With ongoing cyber-attacks against the financial industry, the client was concerned that this may cause widespread disruption and potential business interruption, which may affect software update releases. They need to deliver secure solutions without the risk of harm to their clients.
The client had identified risks in the development lifecycle in regard to Intellectual Property, since 20% of their development team works remotely using unmanaged workstation and servers.
Approach
CyberSecOp completed a DevOps Assessment to gain an understanding around the current DevOps approach, by looking at the following elements:
Process Review
Technology and automation
Measurement
Strategy and Flexibility
Secure Development Environment
Compromise Assessment
Report Gaps
Redesign Development Environment
Process
CyberSecOp IT development and risk management team identified that risk to security was being considered at all stages of a project lifecycle, for a new system or changes to an existing system. CyberSecOp IT development also take into consideration the confidentiality, integrity, and availability at a minimum.
CyberSecOp team performed a full assessment of DevOps processes and tooling.
CyberSecOp utilize ISO Methodology ISO/IEC/IEEE 90003:2018 - Software engineering and ISO 27001 – Annex A.14: System Acquisition, Development & Maintenance.
Key Findings
No multi factor authentication was in place to access development environment
Malware was found on multiple systems
Development infrastructure was not air gapped and segregated based on development, test, and production.
Live data was used for testing and not sample data.
No centralized location for code validation
No validation for publicly available codes downloaded
Codes were not peer reviewed before production
Codes could be checked in remotely from unmanaged system without verification
Multiple cases of out of work schedule unauthorized remote access to software code via a developer’s workstation.
Multiple cases of open administrative sessions between various servers
Solutions
Provided gaps and recommendation
Road map and diagram proposed environment
Designed new development infrastructure
Create new VDI Environment (Segregated environment)
Implement security controls
Implement Jenkins (Slave and Master) and SVN plugin
Ensure that Jenkins securely authenticate with SVN using username and SSL certificate
Worked with the development team to configure Jenkins Pipeline to trigger polling via Subversion
Worked with the development team on checkout process.
View revision number variables
Technical documentation of DevOps environment
Develop security development lifecycle policy based on the process.
