Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications.
Security is our duty and we shall deliver it - White Paper
1. Security is our duty and we shall deliver it
Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software
Company or a Technology Start-up engaged in building, deploying or consulting in Software and
Internet Applications.
Mohd. Anwar Jamal Faiz
Email: Toughjamy@yahoo.com
Phone: +91-8888327658
Location: Gurgaon, Delhi NCR, India.
Introduction to Enterprise Risk & Cyber Security:
We believe that Security threats are constant and varied. Every vibrant technology maker needs an
unbiased source of information and security risk practices as well as an active body of engineers
involved in Software Quality Assurance and Security Implementations. The best defense needs to be
comprehensive, proactive and dynamic.
Security is more than preventing losses and data breaches—security is how companies build trust with
customers and how they maintain and grow their business. Protecting enterprise assets is critical in an
evolving IT landscape. Our Services provide enterprise and internet applications security designed to
embrace latest technology and up-to-date approach for handling security issues.
Effectively securing your business poses a major challenge: threats are serious and the implications for
business are large, but they are also changing quickly and responding in real-time to new advances in
technology. We understand the cost of data breach and how it affects the reliability and credibility of an
organization apart from risking the money. This asks us to be vigilante on our software security practices
as well as about the products and services we are offering to our clients.
Using commercially available third-party Software to our own home-grown security systems and
practices, we have built a Secure Software Test Life Cycle along with usual SDLC. We work in highly agile
fashion and employ a holistic approach that combines the best technology and a sound security
strategy, tightly coupled with a clear-eyed view of governance, risk and compliance. Our technologies
2. are designed to inherit the intelligence security per se and provide extensive usage and effectiveness to
address market specific needs.
The technologies we employ in:
Our Software development work is varied, but not limited to Windows, Linux, Apple, Android, Mac and
other PDAs. We have also ventured in the IOA (Internet of Things).
With growing needs of more and more Artificial Intelligence and the Natural Language Processing, we
have employed global talents who are masters in these area. From using appropriate open Source
systems to using the rightly chosen software for the purposes, we are best at brainstorming, consulting
and choosing the right technology.
Apart from rich development using languages like Java, C++, Visual Basix, PHP, Python, HTML5, CSS,
Javascript, Java, C#, Ruby, Python and others, we use different platforms to make the development and
maintenance easier. We use Perforce, AppVerifier, VeraCode, BullsEye, DevPartner, Fortify, HP
Loadrunner, MemoryHulk, Atlassian products, Majftech Security, Acunetics, Microsoft’s inbuilt modules,
Dfender, SOAPUi, Fiddler et. al. , and many other tools on a regular basis. We do implement automation
of entire BlackBox-WhiteBox Test Integration and report generation using Eclipse, Java, python or shell
scripts. In some projects, we even automate and make Code Coverage Calculation System using BullsEye
at backend.
So, as we often say in our team, Security is our duty and we shall deliver it!
Types of Software testing:
In our practices, we do employ all forms of testing. Some of which, categorically, are mentioned as
following:
• Functionality testing to verify the proper functionality of the software, including validation of system
and business requirements, validation of formulas and calculations, as well as testing of user interface
functionality. Basically testing whether it does what it intends to do.
• Usability testing to ensure that the software is easy and intuitive to use.
• Multithreading testing to see what is impact of running several threads.
3. • Performance testing to see how well software performs in terms of the speed of computations and
responsiveness to the end-user. Just see the time and resources being consumed up. Sometimes even
preparing a baseline even sucks!!! We clubbed this together with some other stuff and collectively called
this persistence testing.
• Internationalization and Locale testing. Since, linguistics testing also sometimes get clubbed with this.
Some other time.
• Scalability testing to ensure that the software will function well as the number of users and size of
databases increase.
• Stress testing to see how the system performs under extreme conditions, such as a very large number
of simultaneous users.
• Forced error testing, or attempting to break and fix the software during testing so that customers do
not break it in production. That is where hacking also comes into picture
• Application security testing to make sure that valuable and sensitive data cannot be accessed
inappropriately or compromised under concerted attack. Using your coding, tweaking pointers,
tweaking built in operators such as new/delete, using tools like BoundsChecker, Fortify, Application
Verifier etc come to your rescue. You can also employ Veracode. Refer:
http://www.w3lc.com/2010/05/veracode-as-new-whitebox-testing-tool.html
• PCI Compliance testing- This becomes very important if your sales ( bread and butter guys!!) comes
from online payment. The Online payment Industry has strict guidelines on Security testing and audits.
Veracode again come into picture if you want to outsource this work to a professionally organized
group.
• Compatibility testing to check that your software is compatible with various hardware platforms,
operating systems, other software packages, and even previous releases of the same software.
Some examples of Cyber Security Firms and what they do:
IBM Security: Services include- security intelligence and analytics; identity and access management;
application security; advanced fraud protection; data security and privacy; and infrastructure protection.
Symantec Software: World's largest security product vendor, largest antivirus (Norton) and a variety of
backup and asset management systems manufacturer
Cisco - Products range from advanced malware protection; next generation firewalls; security
management; cloud security; next generation prevention systems; VPN security clients; email security;
policy and access; web security; network visibility and enforcement; and router security, to name a few.
BAE Systems - It operates through five segments: the electronic systems; the cyber and intelligence
systems; intelligence and security systems; applied intelligence; and the platforms and services.
4. McAfee - One of the biggest antivirus and anti-malware provider in the world.
Palo Alto Networks - It works on Next-Generation Firewall, Advanced Endpoint Protection and Threat
Intelligence Cloud. The company’s Next Generation Security Platform was built for breach prevention
with threat information shared across a range of security functions that can operate over mobile
networks.
Apart from these, there are hundreds of companies around the globe that manufacture security
products or provide their services. We have relations with some of the companies fast emerging in these
arena and some having good clientele and reputation in terms of Software security implementations.
We are close to building one own Software Security product.
How we achieve a secure product:
Every Software piece that we develop is properly tested. The internet portals or websites are thoroughly
tested by Setting up IIS and localhost for development and testing purpose on Windows Vista. A
dedicated team of some great minds work on finding out and mitigating any DOS or Denial of Service
attack. To know more See: http://www.w3lc.com/2010/10/dos-and-ddos-clarification-on-hacking.html
Following remains our chief policies in an around penetration tests and deal with security vulnerabilities:
We employ Secure Data Systems
OWASP Compliant Software development. Refer: https://www.owasp.org
Use of Standard coding practices
Database are tightly protected with passwords and other policies
Regular use of static and dynamic code analysis
Using Software Performance tools
The databases are tuned to performed
Boundary condition and buffer overflow tests
Vulnerability Management
Security gaps are regularly checked and patches applied when required.
We inform our client about possible threats
Fuzzers and Penetration tests
We have proper BCP and mitigation plans laid out from sharpest brains of the industry
We use Traceabilty Matrix and lay great stress on Test planning and optimizations. Refer:
http://www.w3lc.com/2010/05/baseline-and-traceability-matrix.html
5. InfoSec and Managed Security Service Provider:
InfoSec means Information security. It is a set of strategies for managing the processes, tools and
policies necessary to prevent, detect, document and counter threats to digital and non-digital
information. InfoSec responsibilities include establishing a set of business processes that will protect
information assets regardless of how the information is formatted or whether it is in transit, is being
processed or is at rest in storage.
The chief area of concern for the field of information security is the balanced protection of the
Confidentiality, Integrity and Availability of data, also known as the CIA Triad, while maintaining a focus
on efficient policy implementation and no major hampering of organization productivity.
A network operations center (NOC), also known as a "network management center", is one or more
locations from which network monitoring and control, or network management, is exercised over a
computer, telecommunication network. Organizations may operate more than one NOC, either to
manage different networks or to provide geographic redundancy in the event of one site becoming
unavailable. Especially dedicated NOC team can be made available to our clients case to case basis. We
have networks and resources to outsource the work to our partner companies. For our consumption, we
have an internal team that looks our IT needs. In addition to monitoring internal and external networks
of related infrastructure, NOCs can monitor social networks to get a head-start on disruptive events.
With recent rise in trends of attacks and the vast sources of attacks, managed security services (MSS)
have also come into existence. A company providing network security services is called a managed
security service provider (MSSP). Industry research firm Forrester Research in late 2014 identified the 13
most significant vendors in the North American market with its 26-criteria evaluation of managed
security service providers (MSSPs)-identifying IBM, Dell SecureWorks, Trustwave, AT&T, Verizon and
others as the leaders in the MSSP market. We have consultants and are in process of procuring some of
the services in-house, apart from engaging directly with these providers for our clients as the case may
be.
6. Training and development:
We have advisors and Cyber Security experts who roll out Cyber Security Awareness educational series
every month.
We have a Software Security compliance tests every quarter for the dev and the test team. It is
mandatory for everyone to take part and Pass the test.
We do penetration tests and train our engineers to mitigate security issues. We have employed best
penetration and White box testers from around the globe and use defect management systems to track
every issues.
Safeguarding against Phishing and Multi-Factor Authentication:
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in
order to induce individuals to reveal personal information, such as passwords and credit card numbers.
We conduct these training in house and to our clients regularly to keep all the stakeholders informed
about the malice and how not to fall in the trap. This is an industry standard best practice to help
protect our environment and our clients systems from security attacks.
We employ multi-factor authentications to all the critical systems in the Software infrastructure. We
have Software reminder systems that keep updating our users about the passwords getting old and
about to expire. We have the ability to build similar mechanisms in the Software projects we undertake.
Threat hunting, mitigation and Vulnerability Management:
Threat hunting is a very deep and strong method to deal with security issues in markets and solutions
that need stringent regulations, policies and have risks involved. It is the process of proactively and
iteratively searching through networks to detect and isolate advanced threats that evade existing
security solutions. According to SANS institute, the threat hunters are actively searching for threats to
prevent or minimize damage. The formal process of threat hunting should not be confused with an
attempt to prevent adversaries from breaching the environment or for defenders to eliminate
vulnerabilities in the network.