Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security is our duty and we shall deliver it - White Paper

135 views

Published on

Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security is our duty and we shall deliver it - White Paper

  1. 1. Security is our duty and we shall deliver it Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications. Mohd. Anwar Jamal Faiz Email: Toughjamy@yahoo.com Phone: +91-8888327658 Location: Gurgaon, Delhi NCR, India. Introduction to Enterprise Risk & Cyber Security: We believe that Security threats are constant and varied. Every vibrant technology maker needs an unbiased source of information and security risk practices as well as an active body of engineers involved in Software Quality Assurance and Security Implementations. The best defense needs to be comprehensive, proactive and dynamic. Security is more than preventing losses and data breaches—security is how companies build trust with customers and how they maintain and grow their business. Protecting enterprise assets is critical in an evolving IT landscape. Our Services provide enterprise and internet applications security designed to embrace latest technology and up-to-date approach for handling security issues. Effectively securing your business poses a major challenge: threats are serious and the implications for business are large, but they are also changing quickly and responding in real-time to new advances in technology. We understand the cost of data breach and how it affects the reliability and credibility of an organization apart from risking the money. This asks us to be vigilante on our software security practices as well as about the products and services we are offering to our clients. Using commercially available third-party Software to our own home-grown security systems and practices, we have built a Secure Software Test Life Cycle along with usual SDLC. We work in highly agile fashion and employ a holistic approach that combines the best technology and a sound security strategy, tightly coupled with a clear-eyed view of governance, risk and compliance. Our technologies
  2. 2. are designed to inherit the intelligence security per se and provide extensive usage and effectiveness to address market specific needs. The technologies we employ in: Our Software development work is varied, but not limited to Windows, Linux, Apple, Android, Mac and other PDAs. We have also ventured in the IOA (Internet of Things). With growing needs of more and more Artificial Intelligence and the Natural Language Processing, we have employed global talents who are masters in these area. From using appropriate open Source systems to using the rightly chosen software for the purposes, we are best at brainstorming, consulting and choosing the right technology. Apart from rich development using languages like Java, C++, Visual Basix, PHP, Python, HTML5, CSS, Javascript, Java, C#, Ruby, Python and others, we use different platforms to make the development and maintenance easier. We use Perforce, AppVerifier, VeraCode, BullsEye, DevPartner, Fortify, HP Loadrunner, MemoryHulk, Atlassian products, Majftech Security, Acunetics, Microsoft’s inbuilt modules, Dfender, SOAPUi, Fiddler et. al. , and many other tools on a regular basis. We do implement automation of entire BlackBox-WhiteBox Test Integration and report generation using Eclipse, Java, python or shell scripts. In some projects, we even automate and make Code Coverage Calculation System using BullsEye at backend. So, as we often say in our team, Security is our duty and we shall deliver it! Types of Software testing: In our practices, we do employ all forms of testing. Some of which, categorically, are mentioned as following: • Functionality testing to verify the proper functionality of the software, including validation of system and business requirements, validation of formulas and calculations, as well as testing of user interface functionality. Basically testing whether it does what it intends to do. • Usability testing to ensure that the software is easy and intuitive to use. • Multithreading testing to see what is impact of running several threads.
  3. 3. • Performance testing to see how well software performs in terms of the speed of computations and responsiveness to the end-user. Just see the time and resources being consumed up. Sometimes even preparing a baseline even sucks!!! We clubbed this together with some other stuff and collectively called this persistence testing. • Internationalization and Locale testing. Since, linguistics testing also sometimes get clubbed with this. Some other time. • Scalability testing to ensure that the software will function well as the number of users and size of databases increase. • Stress testing to see how the system performs under extreme conditions, such as a very large number of simultaneous users. • Forced error testing, or attempting to break and fix the software during testing so that customers do not break it in production. That is where hacking also comes into picture • Application security testing to make sure that valuable and sensitive data cannot be accessed inappropriately or compromised under concerted attack. Using your coding, tweaking pointers, tweaking built in operators such as new/delete, using tools like BoundsChecker, Fortify, Application Verifier etc come to your rescue. You can also employ Veracode. Refer: http://www.w3lc.com/2010/05/veracode-as-new-whitebox-testing-tool.html • PCI Compliance testing- This becomes very important if your sales ( bread and butter guys!!) comes from online payment. The Online payment Industry has strict guidelines on Security testing and audits. Veracode again come into picture if you want to outsource this work to a professionally organized group. • Compatibility testing to check that your software is compatible with various hardware platforms, operating systems, other software packages, and even previous releases of the same software. Some examples of Cyber Security Firms and what they do: IBM Security: Services include- security intelligence and analytics; identity and access management; application security; advanced fraud protection; data security and privacy; and infrastructure protection. Symantec Software: World's largest security product vendor, largest antivirus (Norton) and a variety of backup and asset management systems manufacturer Cisco - Products range from advanced malware protection; next generation firewalls; security management; cloud security; next generation prevention systems; VPN security clients; email security; policy and access; web security; network visibility and enforcement; and router security, to name a few. BAE Systems - It operates through five segments: the electronic systems; the cyber and intelligence systems; intelligence and security systems; applied intelligence; and the platforms and services.
  4. 4. McAfee - One of the biggest antivirus and anti-malware provider in the world. Palo Alto Networks - It works on Next-Generation Firewall, Advanced Endpoint Protection and Threat Intelligence Cloud. The company’s Next Generation Security Platform was built for breach prevention with threat information shared across a range of security functions that can operate over mobile networks. Apart from these, there are hundreds of companies around the globe that manufacture security products or provide their services. We have relations with some of the companies fast emerging in these arena and some having good clientele and reputation in terms of Software security implementations. We are close to building one own Software Security product. How we achieve a secure product: Every Software piece that we develop is properly tested. The internet portals or websites are thoroughly tested by Setting up IIS and localhost for development and testing purpose on Windows Vista. A dedicated team of some great minds work on finding out and mitigating any DOS or Denial of Service attack. To know more See: http://www.w3lc.com/2010/10/dos-and-ddos-clarification-on-hacking.html Following remains our chief policies in an around penetration tests and deal with security vulnerabilities:  We employ Secure Data Systems  OWASP Compliant Software development. Refer: https://www.owasp.org  Use of Standard coding practices  Database are tightly protected with passwords and other policies  Regular use of static and dynamic code analysis  Using Software Performance tools  The databases are tuned to performed  Boundary condition and buffer overflow tests  Vulnerability Management  Security gaps are regularly checked and patches applied when required.  We inform our client about possible threats  Fuzzers and Penetration tests  We have proper BCP and mitigation plans laid out from sharpest brains of the industry  We use Traceabilty Matrix and lay great stress on Test planning and optimizations. Refer: http://www.w3lc.com/2010/05/baseline-and-traceability-matrix.html
  5. 5. InfoSec and Managed Security Service Provider: InfoSec means Information security. It is a set of strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. InfoSec responsibilities include establishing a set of business processes that will protect information assets regardless of how the information is formatted or whether it is in transit, is being processed or is at rest in storage. The chief area of concern for the field of information security is the balanced protection of the Confidentiality, Integrity and Availability of data, also known as the CIA Triad, while maintaining a focus on efficient policy implementation and no major hampering of organization productivity. A network operations center (NOC), also known as a "network management center", is one or more locations from which network monitoring and control, or network management, is exercised over a computer, telecommunication network. Organizations may operate more than one NOC, either to manage different networks or to provide geographic redundancy in the event of one site becoming unavailable. Especially dedicated NOC team can be made available to our clients case to case basis. We have networks and resources to outsource the work to our partner companies. For our consumption, we have an internal team that looks our IT needs. In addition to monitoring internal and external networks of related infrastructure, NOCs can monitor social networks to get a head-start on disruptive events. With recent rise in trends of attacks and the vast sources of attacks, managed security services (MSS) have also come into existence. A company providing network security services is called a managed security service provider (MSSP). Industry research firm Forrester Research in late 2014 identified the 13 most significant vendors in the North American market with its 26-criteria evaluation of managed security service providers (MSSPs)-identifying IBM, Dell SecureWorks, Trustwave, AT&T, Verizon and others as the leaders in the MSSP market. We have consultants and are in process of procuring some of the services in-house, apart from engaging directly with these providers for our clients as the case may be.
  6. 6. Training and development: We have advisors and Cyber Security experts who roll out Cyber Security Awareness educational series every month. We have a Software Security compliance tests every quarter for the dev and the test team. It is mandatory for everyone to take part and Pass the test. We do penetration tests and train our engineers to mitigate security issues. We have employed best penetration and White box testers from around the globe and use defect management systems to track every issues. Safeguarding against Phishing and Multi-Factor Authentication: Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. We conduct these training in house and to our clients regularly to keep all the stakeholders informed about the malice and how not to fall in the trap. This is an industry standard best practice to help protect our environment and our clients systems from security attacks. We employ multi-factor authentications to all the critical systems in the Software infrastructure. We have Software reminder systems that keep updating our users about the passwords getting old and about to expire. We have the ability to build similar mechanisms in the Software projects we undertake. Threat hunting, mitigation and Vulnerability Management: Threat hunting is a very deep and strong method to deal with security issues in markets and solutions that need stringent regulations, policies and have risks involved. It is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. According to SANS institute, the threat hunters are actively searching for threats to prevent or minimize damage. The formal process of threat hunting should not be confused with an attempt to prevent adversaries from breaching the environment or for defenders to eliminate vulnerabilities in the network.
  7. 7. We employ SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels. As the industry itself is developing around it, we also have our feets wet in the process. We have our Chief Security consultant actively involved in all the three methods viz. Analytics-Driven, situational- Awareness Driven and Intelligence-Driven. As an accompalished engineer he is a master of monkey and fuzzy tests as well. For bug logging and defect tracking we use home grown technologies as well as Atlassian tools like Jira. For the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, i.e Vulnerability management we have adept leaders to lead and guide teams in teams in using vulnerability scanners. We have successfully employed Coverity and various checkstyles and PMD level rules. We have a set of our own scripts and systems to analyze and investigate for known vulnerabilities such as open ports, insecure software configurations, and susceptibility to malware infections. Like stated above, we have masters of fuzzer techniques who can work with us 24x7. Unknown vulnerabilities, such as a zero-day, and complex threats are all under our hand. We have consultants worked with a variety of antivirus software and heuristic analysis mechanisms. You remember we said, we have smartest of security consultants! The denouement: With the growth of smart phones, tablets and new operating systems requiring constant updates daily, testing and QA are more critical than ever before. Our Quality Engineering & Assurance group partners with you to bolster development initiatives, providing reliable support across a range of hardware and software, testing infrastructure, and testing products that ensure test coverage and drive product quality. Like the companies mentioned above and or like BAE, IBM or Hervajec Group, we employ highest degree of software quality and security checks. Our software security practices and adherence to principles, fundamentals as well as the latest developments empowers us to think about coveting a repute like them. Unlike them, at present we are a small team. But we have already started building secure products and managing security for our clients. In a year to come, we look forward to seeing an in- house, state-of-the-art and PCI compliant Security Operations Center, operated 24/7/365 by certified security professionals. This expertise shall be coupled with a leadership position across a wide range of functions including compliance, risk management & incident response, and hence complete the brilliant and beautiful necklace of shining security practices. Luckily, we have the beads in place! © This document is copyright protected and prior permission is required from author for reproduction/modification/transmission/publication by any means namely digital, print or animation.

×