Key Business Challenge
The Chief Information Security Officer (CISO) of a Fortune 500 title insurance company wanted to measure the security state of the organization’s application portfolio and determine how best to improve the security of these business-critical systems.
This title insurance company managed a portfolio of web-facing applications that provide a variety of core services to internal customers and outside clients. Distributed development teams built these applications in different languages in several environments. These environments were primarily web-based, but also included desktop applications.
Denim Group Solution
Given the large number of enterprise applications in use, Denim Group recommended a risk-based approach to quantify the security impact of each application. Given limited resources, the title insurance company wanted to identify and remediate the most critical vulnerabilities and not conduct an exhaustive assessment of every vulnerability in all applications.
- Dynamic Assessments of Critical Applications. Working with the CISO, Denim Group identified a class of applications deemed “mission critical” through which much of the title insurance business flowed on a day-to-day basis. Denim Group then conducted a dynamic scan of these most critical applications to identify the most obvious and exploitable vulnerabilities. These vulnerabilities were flagged and forwarded to the organization’s development team for immediate remediation.
- Manual Testing of Internet-facing Applications. After identifying the most egregious vulnerabilities, Denim Group then performed a more focused assessment of the Internet-facing applications. This second round of assessments included more manual verification and hands-on testing that helped identify another set of more complex vulnerabilities, namely logical vulnerabilities that included trust boundary violations and other flaws less obvious to automated tools.
- Source Code Review. The final step in the assessment process was to conduct a focused source code review of key “hot spots” in the application that Denim Group identified as particularly problematic during its previous tests.
To build an internal application security competency across the enterprise, the client also engaged Denim Group to deliver the following services in addition to the assessment services delivered:
- Training and Mentorship. Denim Group provided secure coding principles training to many of the members of its development team. Denim Group also mentored this group on an ongoing basis.
- Internal Team Development. Denim Group helped the organization stand up an internal application security team within their quality assurance group and helped to identify key characteristics to be used in the hiring of these personnel.
ROI Value Statement
The blended Denim Group approach provided the appropriate level of external expertise and jump-started an internal application security initiative across the enterprise. Subsequent external assessments of key applications returned vastly improved results with dramatically less application-level vulnerabilities. In addition, Denim Group continues to support the client with periodic external assessments and ongoing mentoring and knowledge transfer activities.