Secure Development, Architecture Review, Threat Modeling & DevSecOps

Project details

Problem

1. Customer was at the beginning of the launching development process of a new application. Based on the system architecture they wanted to make sure compliance is met based on the market regulation of Data Processing.
   Cybersecurity services providing utmost standard in this realm were cascaded to provide full scope coverage of:
   • Architecture Review
   • Threat Modeling
   • Secure Development process
   • Pentesting, Infrastructure and Vendor Assessment Security Audits.

Solution proposal

On the basis of received inquiry sent arrangements and offered to perform a cybersecurity audit of the designed system architecture. Detailed information technical aspects related to the audit were presented in the Scope of Work.
The process was performed using manual and automated methods with an extensive consultants approach on each level. This type of approach provides most aimed results, at the same time effective management of time and financial expenditures devoted to the audit.
Audit was based on the provided documentation as well as clarifications denoted on the video conference followed by the list of questions. Additional schedule of meeting was to be part of the audit wherein detailed information gathering takes place.

Project Execution

• Scope & Information Gathering
• Data Flow Diagrams
• Architecture Review
• Data at Cloud
• Vulnerability Identification & Threat Modeling
• DevSecOps Maturity Modeling
• Comprehensive Report Preparation

Steps

• Scope & Basic Information
  • Identifying the scope of the assessment
  • Collecting basic information about the application including interactions with users, other applications & systems
  • Collecting information about used technology & architecture
  • Defining main stakeholders and users
  • Assessing designed security standards and data protection
• Data Flow Diagrams
  • Creation of data flow diagrams with C4 Model:
  • Context level diagram – presenting all interactions between assessed application and other application, systems & users
  • Container level diagram – presenting zoomed version of diagram for assessed application, including all containers in use like DBs, front end, backend etc.
  • Component level diagram – presenting zoomed version of diagram for assessed application, including all services & processes running inside the application
  • Code diagrams – provide additional details about the design of the architectural elements that can be mapped to code.
• Information Gathering
  • Collecting information about security concepts included in the application design and deployment like:
  • Authentication & authorization
  • Session Management
  • Input Validation
  • File Upload Controls
  • Encryption
  • Configuration
  • APIs & Microservices
  • Patch Management
  • Change Management
  • Business Continuity Management
  • CI/CD
  • Metrics
  • Automation & Monitoring
• Data at Cloud
  • Reviewing the risks related to cloud computing. Making sure that no additional risks are left not addressed.
  • Going through subjects & concepts like: information access restriction, isolation, log file integrity & separation, metering points, rights of audit, network defenses, network segregation, notice of change, PII liability, privilege management, protection of cryptographic keys and other secret information, network communication, secure erasure and more.
• Vulnerability Identification & Threat Modeling
  Based on all information gathered about application and it’s environment we will identify all of the feasible attack vectors and potential weaknesses, evaluate them and propose appropriate recommendations according to the current cybersecurity „good practices”.
• DevSecOps Maturity Modeling
  • Requirements | TM Risk Output Addition in Requirements
  • Design | Abusive Test Cases definition
  • Develop | Secure 3rd party components (SCA)
  • Integrate | Secure Code Scanning (SAST)
  • Test | Vulnerability Assessment (DAST)
  • Deploy | Automated Pentesting (Change Control)
  • Maintain | Vulnerability Management
• Report Creation
  • Summarized report including all of the covered information about application design concepts, architecture & deployment including description of all present security controls.
  • Identification & evaluation of all potential vulnerabilities and threats.
  • Creation of recommendations for all of the identified flaws.
  • Presentation of the whole report with all content.
• Used Frameworks & Methodologies:
  • OWASP TOP 10 (Open Web Application Security Project TOP 10 vulnerabilities)
  • OWASP ASVS (Application Security Verification Standard Project)
  • OSSTMM – Open Source Security Testing Methodology Manual
  • SAMM – Software Assurance Maturity Model
  • DSOMM – DevSecops Maturity Model
  • Threat Modeling Methodology used in our review is STRIDE & DREAD, backed up by parts based on MITTRE & OWASP

Result

• The project plan extracted from the work breakdown structure and used estimation techniques resulted in realistic and acceptable pricing. Described and executed plan covered the entire audit creation, delivery methods and report presentation based on timelines with agile milestones.
• Summarized report was delivered including all of the covered information about application design concepts, architecture & deployment including description of all present security controls.
• Identification & evaluation of all potential vulnerabilities and threats.
• Creation of recommendations for all of the identified flaws.
• Presentation of the whole report with all content.