Code Review, Application Security Assessment For a US Based Intelligence Agency

Cyber Forensics
November 18, 2006
Vulnerability Assessment and Forensics Services for a hosting company with 2500+ applications
February 14, 2008

Our client is a US based private intelligence group that provides highly confidential information intelligence services to various federal agencies across the globe. Such intelligence is availed to them via different subscription models. Interested agencies can buy annual corporate licenses to access the confidential information available through the portal. Portal also segregates different views for anonymous, registered, client administrator and super administrators. Such intelligence is gathered using various resources like TV, Newspaper, tie-ups with local channels, research, etc. Information is highly sensitive in nature and is useful to federal agencies to build strong intelligence network across the globe.

The Challenge

Due to sensitive nature of the information that portal carries, there was a need to secure such information from attackers and also to ensure that information is available as per the access policies. Safe-guarding information assets in the application was on the top priority as the application was internet facing. Most challenging part was to assess different third party modules being called from the portal.

On the one side, our customer was serious about securing the information and was also pressurized by federal agencies to safe-guard such highly sensitive information so that it is not misused by malicious visitors. Development was done over the latest development framework with few third party modules plugged into the application.

The Solution

Torrid suggested a thorough, security assessment to the customer.  This involved doing a line-by-line inspection of the code to figure out code level vulnerabilities and backdoors in application, followed by in-depth application security assessment or grey-box testing.

Detailed code review, followed by an in-depth application security audit would make their development life-cycle more robust and making the developers aware about the common security mistakes while coding web applications.

The modus operandi being followed was as below:

  1. Undertake detailed rounds of interaction with the development team to understand business requirement for the application, target customers, confidential information assets and business flow of the application.
  2. Perform an elaborate application code review.
  3. Conduct web application audit on their web applications available over the internet to strengthen their SDLC.
  4. Provide a multi-facted, multi-pronged report having step-by-step tutorials on security best practices which is easily understandable by development team and Managers.

The Results

Torrid helped them in assessing their overall security posture, strengthening their SDLC and mitigating the over all risks posed due to insecure code.

The detailed, multi-staged reporting processes, a heavy stress was laid on best practices and step-by-step tutorials on various security issues which would help them bear the brunt of such attacks in the future. Some brief trainings and sessions on secure coding were also imparted.