Financial Software Developer Secure Infrastructure Case Study

Organization

This organization was a well-established software development company that provided financial solutions.

The client employed 460+ IT and Software Development professionals. Their clients included high profile professional services, manufacturing companies, and government agencies who typically serviced clients in multiple industries.

The board of directors the and the executive team understood that based on their current business-critical need for their solutions and their client base, a high standard of cyber security needed to be maintained to ensure digital assets were always protected.

The board of directors and the executive team wanted to ensure that all software development followed best practices. The board of directors the and the executive team engaged Risk Cognizance to review their entire development lifecycle with the following requirements:

·        Protection of Intellectual Property 

·        Reduce potential for supply chain attacks

·        Identify gaps in the current development lifecycle

Challenge

With ongoing cyber-attacks against the financial industry, the client was concerned that this may cause widespread disruption and potential business interruption, which may affect software update releases. They need to deliver secure solutions without the risk of harm to their clients.

The client had identified risks in the development lifecycle in regard to Intellectual Property, since 20% of their development team works remotely using unmanaged workstation and servers.   

Approach

Risk Cognizance completed a DevOps Assessment to gain an understanding around the current DevOps approach, by looking at the following elements:

  •  Process Review

  • Technology and automation

  • Measurement

  • Strategy and Flexibility

  • Secure Development Environment

  • Compromise Assessment

  • Report Gaps

  • Redesign Development Environment

Process

Risk Cognizance IT development and risk management team identified that risk to security was being considered at all stages of a project lifecycle, for a new system or changes to an existing system.  Risk Cognizance IT development also take into consideration the confidentiality, integrity, and availability at a minimum.

  • Risk Cognizance team performed a full assessment of DevOps processes and tooling.

  • Risk Cognizance utilize ISO Methodology ISO/IEC/IEEE 90003:2018 – Software engineering and ISO 27001 – Annex A.14: System Acquisition, Development & Maintenance.

 

Key Findings 

  • No multi factor authentication was in place to access development environment

  • Malware was found on multiple systems

  • Development infrastructure was not air gapped and segregated based on development, test, and production.

  • Live data was used for testing and not sample data.

  • No centralized location for code validation

  • No validation for publicly available codes downloaded

  • Codes were not peer reviewed before production

  • Codes could be checked in remotely from unmanaged system without verification

  • Multiple cases of out of work schedule unauthorized remote access to software code via a developer’s workstation.

  • Multiple cases of open administrative sessions between various servers 

Solutions

  • Provided gaps and recommendation

  • Road map and diagram proposed environment

  • Designed new development infrastructure

    • Create new VDI Environment (Segregated environment)

    • Implement security controls

    • Implement Jenkins (Slave and Master) and SVN plugin

    • Ensure that Jenkins securely authenticate with SVN using username and SSL certificate

    • Worked with the development team to configure Jenkins Pipeline to trigger polling via Subversion

    • Worked with the development team on checkout process.

    • View revision number variables

  • Technical documentation of DevOps environment

  • Develop security development lifecycle policy based on the process.