The organization had a lack of shift-left approach and automated security testing.
In addition, they did not have a consistent penetration testing approach or defined security test cases.
Integrated security into SDLC by adapting and leveraging a “Shift Left” approach.
Implemented a standardized approach to penetration testing across all applications and created comprehensive security controls test cases tailored to the applications.
Automated security testing significantly reduced the time and effort expended on application security.
Multiple critical and high vulnerabilities were identified and most of them were addressed, leading to a more secure production environment.
Our Client is an American news agency headquartered in New York City. It is an independent global news organization dedicated to factual reporting. The agency today remains the most trusted source of fast, accurate, unbiased news in all formats and the essential provider of the technology and services vital to the news business.
Our Client was primarily focused on penetration testing towards the end of their development life cycle. However, penetration testing isn’t consistent and is usually conducted on a yearly or half-yearly basis, rather than rolling it out on all major releases.
There was an absence of a “shift-left” approach or any integrated automated security testing in their development pipeline.
Our Client did not engage in any security testing at the infrastructure level. This resulted in critical systems and assets being exposed to potential vulnerabilities. Our Client also did not have any security non-functional requirements defined or any security-specific test cases designed. Without these, it is difficult to systematically identify and address potential vulnerabilities in their applications.
Qualitest was engaged to proactively identify and address security vulnerabilities in the initial stages of the development life cycle by integrating a ‘shift-left’ approach to security. This approach not only minimized the time and effort spent on application security, but also substantially reduced the overall risk associated with the applications.
It was important for our Client to:
To address our Client’s requirements on cyber security, Qualitest segregated their requirements into four different areas:
The requirements for all 4 areas were met through the following stages:
This is the first stage in security testing which captures all the details on how to qualify a security testing requirement. They are broadly categorized into 2 main areas, which included a secure development life cycle and infrastructure security.
Mapping people, process and technology took our Client’s requirements from the define best practices phase and we worked towards selecting the tools, methods, technology, and the overall process of how the validation should be performed.
This is the final stage where the execution of all the security requirements took place. The result of defining best practices, mapping it against people, process and technology and validating these requirements happened in this stage.
The validation of the requirement includes all 4 areas i.e. secure development life cycle, security controls, penetration testing and cloud security.
Cyber security requires regular reviews, updates, and enhancements to address emerging threats, vulnerabilities, and the evolving technological landscape. This is all conducted as part of the continuous improvement stage.
In this stage we also ensured that the SCA, SAST and DAST tools are regularly updated. Once an application has been scanned with any genuine issues having been differentiated from the false positives, this is used as a baseline. Subsequent scans can then be compared to the baseline to identify any new issues, minimizing the repeated triage of false positives. We also ensured any existing vulnerabilities that were identified through security controls testing and penetration testing were converted into a DAST scan template and integrated into the CI/CD pipeline.
Download the PDF
