Our client manages the country’s basic infrastructure through a complex network and planned to automate the billing process for the services it provides. They invested heavily in an automation system consisting of small, low-power radio transmitters connected to individual systems that send daily data to a network of receivers throughout the city. In most cases, the transmitters will be placed where the system remote receptacles are currently located. The receivers will be part of the department’s information technology arm. The installation of the system will take approximately three years to complete.
The new technology will be able to send accurate data to a computerized billing system up to four times a day and will largely eliminate the need for estimated bills. Since it is an automated system, it also eliminates the need for a system to be installed at customer properties. Entire system Information is available on the portal. Portal also segregates different views for anonymous, registered, administrators and super administrators.
As the portal contains confidential information of about 8,26,000 account holders, there was a need to secure such information from cyber attacks and also to ensure that information is available as per the access policies. Safe-guarding information assets in the application were on top priority as the application is internet facing.
Our client was determined to protect itself from the major data breaches that have been reported from major government firms in recent memory. Since there are various modules that are integrated by third party and also many parts of the application underwent routine revisions, the customer was concerned not only about the protection of the initial applications, but also about protecting its database against new vulnerabilities that could be introduced over time. Client also wanted to shorten application development cycles while implementing safe coding practices. In addition, they also understood that the combination of its custom web applications, thousands of users, and integration of different modules was going to present a significant number of opportunities for insider threats and external attacks. They needed a solution that encompasses all their needs not burdening their project management aspects.
Torrid recommended manual security code review followed by a comprehensive application security assessment through the expertise of its Information Security Center of Excellence. Code review, considered to be the single-most effective technique for identifying security flaws, when combined together with security assessment, can significantly increase the cost effectiveness of an application security verification effort through the concept of bundling. Integration of security code review into the System Development Life Cycle (SDLC) increases the overall quality of the code developed without adding to the efforts significantly.
Following steps were carried out for the in-depth analysis of application and performing by Torrid’s experts:
Torrid helped them in assessing their overall security posture, strengthening their SDLC and mitigating the over all risks posed due to insecure code.