Conducting a comprehensive assessment of information systems, applications, data, and infrastructure is crucial to identify vulnerabilities, risks, and non-compliance with security policies. Implementing the Secure Software Development Framework (SSDF) during these assessments ensures that development practices align with the highest security standards. This process involves a thorough examination of the security measures in place, the effectiveness of those controls, and the potential impact of identified weaknesses. Addressing security gaps proactively can help enterprises comply with regulatory requirements and strengthen their overall security posture.
These assessments examine adherence to secure coding guidelines, vulnerability management, and threat modeling processes. Additionally, they provide actionable recommendations to strengthen security controls, integrate automation, and foster a culture of security throughout the development lifecycle.
Third-party Assessments
Almost every organization has a dedicated team and department to safeguard its foundational systems and networks. These security teams implement best practices such as network segmentation, firewalls to monitor and control incoming outgoing traffic, physical security controls to protect the physical infrastructure, secure configuration management, etc. Regular security audits are another critical responsibility of these enterprise teams. Even as organizations maintain dedicated security teams, third-party audits hold equal significance. Here are a few advantages:
Enterprise Case Study
Encora offers a range of services, including security assessments and audits. We provide thorough security evaluations for organizations across industries, ensuring strong defenses against emerging threats. In this blog, we share how we conducted a comprehensive security audit for a leading energy company in the USA, highlighting our approach, methodology, and the value delivered to enhance their security posture.
Our Approach to Security Assessment
We conducted a comprehensive analysis to enable informed decision-making and develop targeted remediation strategies, safeguarding their critical assets and operations. Our efforts ensured the robustness and resilience of their infrastructure, application, and data security against evolving cyber threats and vulnerabilities. We followed our standard PAAR approach for this assessment.
- Plan: Create a project plan, scope, and identify the SPOC (Application owner).
- Assess: Conduct actual assessment, which is the main execution phase.
- Analyze: Evaluate the findings, tag severity, and measure the impact.
- Report: Create a set of our standard/predefined reports in this closure phase.
Encora’s PAAR Approach for Assessment
The duration of this assessment depends on the scope of the audit. Retrospection after each assessment helps refine our approach and reduce execution time. The assessment for this client took approximately 11-12 weeks, which we audited:
- 250+ application repositories: Mixed technology stack with repos in Java, .NET, Python, Node, etc.
- 280+ databases: MS SQL, My SQL, Oracle, MongoDB, PostgreSQL, MemSQL
- Four public IPs
Assessment Methodology
Application Assessment: The strategy for assessing applications in scope included:
DevSecOps Assessment: DevSecOps is crucial for Application Security. This assessment included a thorough review of all CI/CD pipelines, YAML, Docker, and Kubernetes manifest files.
Data Assessment: This customer's database landscape included a mix of MS SQL, MySQL, Oracle, MongoDB, PostgreSQL, and MemSQL.
We first identified the right set of tools for each of these databases.
Some of the tools used were MySQL Client, Oracle Client, MSSQL Server Client (SSMS), Oracle DBSAT, PostgreSQL Database Security Assessment Tool, MongoDB Compass, NMAP, Metasploit, Searchsploit, mongoaudit, DBeaver, nosql-exploitation-framework and Hydra. The areas we focused on during the assessment were:
Infrastructure Assessment: We assessed the customer's perimeter using the list of public IPs provided.
Assessment Deliverables
At the end of the 12-week assessment, the following documents were handed over to the client team.
- Audit Report: A comprehensive report containing all findings and gaps. The impact of each finding was measured, and severity levels (high, medium, low) were assessed and tagged based on this impact. Below is a screenshot from the report:
Snapshot of the audit report
- Audit Presentation: We provided a comprehensive presentation to the client's leadership team, which included an executive summary of the security assessment. The presentation encompassed:
- A concise outline of the assessment process, key steps, and gap analysis.
- Highlighted high-severity issues, detailing their potential impact and associated risks.
- Provided actionable recommendations and an implementation roadmap to address identified gaps.
- Sample screenshots
- Supporting Documents: All internal reports, evidence/ screenshots, automated tools reports, manual scripts, and other relevant material used during the assessment.
The assessment significantly enhanced the client's security posture by identifying critical vulnerabilities and providing clear, actionable recommendations. The comprehensive audit report and presentation enabled the client's leadership to understand and prioritize high-severity issues, mitigating potential risks effectively. The implementation roadmap strengthened their defensive measures, ensuring better protection against cyber threats in the future.
Challenges Faced
- Scanning Tools Installation: We encountered challenges installing the necessary tools for the assessment. As a workaround, we requested dedicated Kali Linux Virtual Machines with multiple pre-installed tools, which saved significant time.
- Application Code Access: We asked the client to create a GitHub group and add our team members and application owners to grant us access for the assessment duration.
- Database Access: To perform automated and manual scans, we requested the client to create temporary database users with read-only access to the data dictionary. This access level was sufficient for our assessment needs.
- Access to Highly Secure Resources: For highly secure environments, we shared our manual scripts with the client's team and requested that they execute the scripts and share the results with us.
Conclusion
In conclusion, after our 12-week assessment, we provided a comprehensive analysis of the client's security posture, identifying key vulnerabilities and offering actionable recommendations. Our team delivered detailed reports, presentations, and supporting documents to the client. We also included a thorough gap analysis and an implementation roadmap to enhance their security measures. Our robust methodology and collaborative approach ensured a successful audit, positioning the client to put up a better defense against potential threats.
We are equipped to conduct similar assessments, offering a tailored approach to meet specific security needs. Our expertise, systematic methodology, and advanced automation tools can help organizations strengthen their defenses and safeguard their digital assets more efficiently. Our use of automation not only accelerates the assessment process but also enhances accuracy by minimizing human error. After each successful assessment, our team conducts a retrospective to update our internal security checklist with the latest findings. The challenges and lessons learned from each assessment help us reduce assessment time and proactively address potential issues in future engagements.
Author Bio
Aditya Chouhan is a technology leader specializing in designing and delivering scalable, distributed enterprise solutions. In his current role as AVP Cloud Practice, he collaborates with global sales teams to deliver cutting-edge engineering solutions that drive innovation and business growth for global clients. Aditya's expertise spans cloud-native architecture, application modernization, enterprise application security, and helping global clients harness the power of technology to solve complex challenges.
