Company Overview
The Client is a leading service provider for personal and commercial insurance in the UK. Serving millions of policyholders, the company generates premiums worth billions of Euros.
The Client lacked the robust cyber security system imperative to handle massive amounts of sensitive customer data. Their approach–performing penetration testing at the end of the development lifecycle—was proving too expensive to fix issues and did not provide complete cybersecurity coverage.
Robust Cyber Security Starts with a Robust Shift-Left Plan
The Client wanted consistency in their cyber security processes by addressing cyber security requirements as early as possible in the SDLC, but the requirements had not been properly defined. Qualitest helped the Client define requirements and then collaborated to build a robust cybersecurity plan that would secure the cloud infrastructure as well as the development lifecycle, and also satisfy compliance regulations.
The plan called for implementing cybersecurity testing solutions in the build pipeline and the cloud infrastructure in one key release, and then leveraging the solutions for subsequent releases and projects.
The Client wanted to:
- Establish a QA partner with strong knowledge and experience in shift-left cybersecurity implementation.
- Understand the current tools and technologies used.
- Identify best practices for cloud security, secure the development lifecycle and meet compliance requirements.
- Map the process with people, process, and technology.
Tackling Three Security Areas with a Three-Phased Approach
Qualitest divided the requirements into three areas: Cloud security, secured software development lifecycle (SDLC) and compliance security. The requirements for all three areas were met in three phases.
- Phase 1 – Discovery
- Phase 2 – Design & Preparation
- Phase 3 – Execution, Analysis & Reporting
Phase 1 – Discovery
Qualitest engineers held technical workshops to gain a thorough understanding of the client’s technology landscape, the tools being used and the current SDLC and SSDLC structure. At the end of this phase, we provided a detailed Gap Analysis report identifying where we saw gaps against best practices for each key area.
We also identified the key stakeholders with whom we would be working. Finally, we created a detailed test plan listing the activities to be performed.
Phase 2 – Design & Preparation
Qualitest engineers came up with a detailed checklist for each area, based on the best practices relevant to the area.
Cloud Security Checklist
- AWS Infrastructure Best Practices
- Account monitoring and control
- Users and groups management through IAM policies
- Logging and monitoring
- Networking – Virtual Private Cloud (VPC)
- Managed services & continuous vulnerability management
- AWS S3 & EC2
- API gateway
- Kubernetes Best Practices
- Limit direct access to Kubernetes Nodes
- Create administrative boundaries between resources
- Use authorized images
- Secure Development Lifecycle Checklist
- Secure Coding Best Practices
- Authentication and Authorization
- Input Validation
- System Output
- Data Storage
- Services and websites
- Logging
- Unintended security disclosure requirements
- Communication, Error Handling
- Data Processing and Protection
- File Management, Session Management and Memory Management
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
- Secure Build Pipeline
- Compliance Checklist
- PCI DSS (Payment Card Industry Data Security Standard) Best Practices
- Vendor-Supplied default credentials
- Track and monitor network resource
- Common code vulnerabilities
- Payment Card Information
Additionally, in this phase we identified the tools we planned to use.
Phase 3 – Execution, Analysis & Reporting
In the final phase, Qualitest engineers executed the checklists and the tasks prepared for the three areas that required Cyber QA.
Cloud Security
- The checklist prepared was executed on the AWS environment.
- The Nexpose, Prisma Cloud and Splunk tools were leveraged for the execution.
- All the execution details were captured in Jira Tool.
- All the failed checklist items had a defect raised in Jira and assigned to the platform engineers to fix the vulnerability at the infrastructure level.
Secure Development Lifecycle
- SAST
- An open source tool was used for the SAST execution.
- The rules and profiles defined were reviewed to get maximum coverage.
- Leveraged Security plugin for better cover age and mapping with the CVEs and CWEs.
-
- NeuraLegion Nexploit was leveraged for the DAST testing.
- An opensource DAST scanning tool was leveraged as well for the DAST testing.
- Micro services were scanned to cover Top 10 OWASP methodology for APIs through automated scanning.
- Performed Fuzzing using open source DAST Scan tool.
- All the vulnerabilities identified were raised on Jira and assigned to the developers to fix
- Secure Build Pipeline
-
- Open source Software Composition analysis and Git Secrets verification tools were identified to integrate with build pipeline.
- Software Composition analysis was leveraged to identify if any components with known vulnerabilities are used in the development environment.
- Git Secret verification tool was used to detect if any secret keys or other sensitive information was checked into the Git by calculating the entropy.
- Secure Coding Principles
- Executed the checklist by leveraging the SAST and DAST tools.
- Executed some of the checklist manually to identify vulnerabilities.
- All the vulnerabilities identified were raised on Jira and assigned to the developers to fix.
Compliance
- PCI DSS
- The PCI DSS checklist prepared was executed on the AWS environment and Micro Services.
- The Nexpose, Prisma Cloud, Splunk and OWASP ZAP tools were leveraged for the execution.
- All the vulnerabilities identified were raised on Jira and assigned to the developers and Platform Engineers to fix.
Results: A Reusable, Reliable Security Framework
The Client was pleased with the output of the cybersecurity Proof of Concept. Soon afterward we began discussions for a yearlong project to implement similar solutions for different projects.
Key Benefits
- The Client now has stronger secure coding principles, repeatable tests, application security reviews and assessments that give them confidence that their insurance solution is secure, their customers’ experience is not compromised and their brand is safe.
- Security defects are now identified during in-sprint testing rather than at the end of the test cycle, by shifting-left cyber security assurance, ensuring projects go live on time and business revenues are protected.
- There is a better definition of roles and responsibilities for engineering and security resulting in increased collaboration to achieve “security by design” from project inception. Application security is no longer external to the software development life cycle (SDLC).
- The Client now has a cost effective, fixed price in-sprint security testing capability available on demand, with an agile engagement model to enable DevSecOps delivery.
Download the PDF