Key Business Challenge
A large, publicly traded life science company wanted to evaluate and improve the security state of one of its critical enterprise web applications to reduce operational risks. In addition, the company wanted training to develop secure software on an ongoing basis.
Originally developed in ASP Classic, one of the company’s critical enterprise web applications had undergone a rewrite to run under Microsoft’s ASP.NET platform. They planned to remove the earlier version of the application from service and to transition their clients to the updated version.
Denim Group Solution
Denim Group delivered a combination of approaches to help the company understand their current risk exposure and to reduce their exposure to future risks.
- Dynamic Assessment.Because the ASP Classic application was still in production but not under active development, Denim Group began with a dynamic assessment of the application. This helped determine the application’s current security state in the production environment and identify potential risks to the company. While a source code review might have provided more in-depth information about the security state of the system, Denim Group deemed the added scrutiny as economically unnecessary because it would soon be decommissioned.
- Source Code Review.The ASP.NET version of the application was in production under lighter use and slated to handle the bulk of transactions going forward, so Denim Group performed a full static, or source code, review of this application. This provided the client with information about potential security defects in the application as well as more specific information about the current coding practices of their development team. Based on this information, Denim Group provided suggestions on how to improve these practices to reduce the company’s risk exposure.
- Training.Denim Group crafted a custom training program for the client’s development staff based on information about potential security defects that had been introduced during the development and deployment of the most recent application. Denim Group customized the training content to emphasize the areas requiring the most attention while making it a priority to maximize the value of this developer time spent away from development tasks.
ROI Value Statement
Denim Group’s targeted approach helped provide the greatest reduction of risk to the life science company, while maximizing the value to their development team for the future. The client gained valuable insight into the security state of their critical deployed legacy systems as well as forewarning of potential future risks. Context-appropriate training was used to transfer security knowledge to the client’s development team in a way that maximized training value while minimizing disruption to the development team’s schedule.