Code Review and Web Application Security Assessment For a US State Department

Vulnerability Assessment and Forensics Services for a hosting company with 2500+ applications
February 14, 2008
OWASP AppSec India Conference 2008
August 7, 2008

Our client manages the country’s basic infrastructure through a complex network and planned to automate the billing process for the services it provides. They invested heavily in an automation system consisting of small, low-power radio transmitters connected to individual systems that send daily data to a network of receivers throughout the city.  In most cases, the transmitters will be placed where the system remote receptacles are currently located. The receivers will be part of the department’s information technology arm.  The installation of the system will take approximately three years to complete.

The new technology will be able to send accurate data to a computerized billing system up to four times a day and will largely eliminate the need for estimated bills.  Since it is an automated system, it also eliminates the need for a system to be installed at customer properties. Entire system Information is available on the portal. Portal also segregates different views for anonymous, registered, administrators and super administrators.

The Challenge

As the portal contains confidential information of about 8,26,000 account holders, there was a need to secure such information from cyber attacks and also to ensure that information is available as per the access policies. Safe-guarding information assets in the application were on top priority as the application is internet facing.

Our client was determined to protect itself from the major data breaches that have been reported from major government firms in recent memory. Since there are various modules that are integrated by third party and also many parts of the application underwent routine revisions, the customer was concerned not only about the protection of the initial applications, but also about protecting its database against new vulnerabilities that could be introduced over time. Client also wanted to shorten application development cycles while implementing safe coding practices. In addition, they also understood that the combination of its custom web applications, thousands of users, and integration of different modules was going to present a significant number of opportunities for insider threats and external attacks. They needed a solution that encompasses all their needs not burdening their project management aspects.

The Solution

Torrid recommended manual security code review followed by a comprehensive application security assessment through the expertise of its Information Security Center of Excellence. Code review, considered to be the single-most effective technique for identifying security flaws, when combined together with security assessment, can significantly increase the cost effectiveness of an application security verification effort through the concept of bundling. Integration of security code review into the System Development Life Cycle (SDLC) increases the overall quality of the code developed without adding to the efforts significantly.

Following steps were carried out for the in-depth analysis of application and performing by Torrid’s experts:

  1. Interaction with the development team to understand business requirements for the application, target customers, confidential assets and data flow of the application to perform the assessment in a better way.
  2. Security Code Review objectives are defined and a preliminary scan done with multiple automated tools to block all the loopholes present.
  3. Manual Code Review is performed for security issues which are unique to the application architecture to fill unique gaps in application security framework.
  4. Performed a web application audit and assess their application from an attacker’s perspective. “Think like they think while breaking in” approach helped us in finding many flaws that were pinned and plugged.
  5. Executed numerous attacks against the application through commercial, open source and customized tools in order to determine the underlying vulnerabilities in the application.
  6. Methodology for security assessment includes, but not limited to, all the checks for the security issues identified by OWASP TOP 10 list and many more.
  7. Finally a multi-faced, multi pronged report having step by step tutorial on security best practices is handed over to them taken much care of the audience which are generally development team and managers.

The Results

Torrid helped them in assessing their overall security posture, strengthening their SDLC and mitigating the over all risks posed due to insecure code.

  1. Achieved end to end application data security without impacting performance
    Enabled protection for high volume of users, multiple web based, custom applications and databases – without extra coding.