Comprehensive Security Assurance Program for Software Development Teams

Security Assurance Program New York USA London UK Munich Germany Zug Switzerland

Security Assurance Program DataArt considers security as a high priority, recommending to start working on security processes at an earlier stage of the development cycle, even before coding itself. The program will focus on the following goals: ensure the development process, solution and operations conform to client s security standards and applicable compliance requirements; Security Assurance program includes relevant activities to help your software development team build a secure solution, that operates at a great level of security. ensure the solution is implemented, configured and deployed according to security best-practices; ensure the solution is sufficiently protected from relevant threats and immune to attack vectors.

Security Assurance Benefits Boost your software development team s capabilities with information security expertise. Receive the detailed and unbiased report of your company s strengths and weaknesses in the cybersecurity area. Save your company s time and money by finding cybersecurity discrepancies before an audit occurs. Prevent costly security incidents and preserve the confidence of your customers, suppliers, partners, and shareholders. Gain a competitive advantage, since providing security by default opens the doors for large projects and contracts.

Security Is Continuous It is known that security is not a point in time, it s a process. Our approach to security consists of three global categories of recurrent actions which help in protecting the solution from relevant security threats starting from the day one: Development Security focuses on development and architecture best practices, security assurance of particular software components Configuration Security ensures that OS, network and software configuration security are taken into account and implemented properly Operations Security defines environment maintenance and monitoring tasks To achieve that, DataArt provides a part-time security architect who will be responsible for execution and coordination of security activities.

Secure Development Security requirements and guidelines Architecture and security feature review Recurrent security code reviews Security architect will review functional requirements for the solution, security policies, compliance response statements and security best practices and translate them into project- and technology-specific development and configuration guidelines. These guidelines will be used by the project team to create relevant security acceptance criteria for the user stories, implement particular security-related functionality, derive specific test cases for security features and prepare deployment checklists for production environments. Security architect will participate in team s technical meetings and discussions to provide guidance in selecting standard or customized secure-by-default software components to implement security-critical features of the app. Examples of such features include, but are not limited to, authentication flows, access controls, cryptography, PKI, etc. The architect will also help with upfront design of difficult security problems on the ad-hoc basis. Independent security code reviews will be performed by Senior Software Engineers who have strong experience in application- level security and common vulnerabilities. They will use technology-specific security review checklists (like Cheat Sheet v2 Series from OWASP) to identify deviations from recommended implementations. Each round of manual code review will be followed by an actionable report with the findings; the reviewers will assist the team with the remediation of identifies issues.

Security Testing Manual penetration testing Security test cases Integration of security tools into CI/CD pipeline (Security Automation, DevSecOps) The security architect will help to integrate basic security testing into standard quality assurance processes. The QA team will go beyond functional testing and perform basic adversarial tests, which require no security knowledge, and edge case/boundary condition testing. Such test cases will be derived from requirements and security features, marked with special tags in test case management tools and will be run during regression/smoke testing for each pre-release version of the solution. All the defects found during such tests will be tracked in the project management tool labeled with "Security" tag. The security team will perform an independent penetration testing using an industry-recognized methodology. Penetration testers will attempt to access actual data and functionality to fully demonstrate the significance of any identified weaknesses. Following the completion of the penetration test, the security team will deliver a detailed actionable report and support development team with remediation for identified issues. DataArt recommends running penetration tests before each major release, configuration change or, at least, annually or bi-annually. Security Architect will collaborate with the DevOps team to integrate automated security testing tools into the existing CI/CD pipeline. DataArt proposes using Static Application Security Testing (SAST) and Software Composition Analysis (SCA) to ensure the security of the code and remediate common security flaws, like vulnerable 3rd party components, broken cryptography, XSS and SQL injections, unsafe and hardcoded defaults, buffer overflows and memory corruptions, before they are merged into the main development branch.

Secure Configuration and Operations Environment hardening and assessment Security policies creation and maintenance Incident and vulnerability management The security architect will create the definition of expected operating platform, recommended security configuration and deployment recommendations for DevOps. He will periodically inspect the production environment and ensure that host and network configurations, remote access settings, logging and monitoring are implemented in line with the definition. All non-addressed gaps and security issues will be documented and wrapped up into a detailed report with the suggestions on remediation. Our security specialists will be involved into the process of contribution to security policies covering development, testing, configuration, operations, project management and support activities. All policies will address both the client's security requirements and regulatory pressures. Our specialists will organize an operations security group (hereinafter referenced as SOC, Secure Operations Center) which will handle all incoming security-related requests, incidents and reports and perform continuous environment monitoring. The members of the group will collect and analyze raw security data, process security alerts, find suspicious activity and anomalies and create, track and fix security incidents.

Our Clients

Case Studies

CASE STUDY Security Assurance for a Major Wholesaler The client is a world-famous wholesale company designed to provide hotels, restaurants, caterers and independent traders with food and non- food goods. The client proposes 3 options of shopping for their multimillion-customer database: shop in the stores, order online and get their products at the store, or home-delivery. Business Challenge The client engaged DataArt to provide a next-generation e-commerce ERP system. DataArt s security experts were involved to analyze the system from a cybersecurity perspective, in order to deal with any potential challenges. The development process and solution had to meet the following requirements: conform to the security standards, business and compliance requirements; be configured and deployed according to security best practices be protected from threats and immune to attack vectors Business Impact The partnership with DataArt allowed our client to build their SSDLC adhering to the highest security standards and best practices and resulted in the delivery of the secure platform.

CASE STUDY Security Assurance for a Major Wholesaler DataArt worked closely with all stakeholders in this very complex project, to ensure the final security of the system. We provided a range of security related services that included: Final Environment Assessment. DataArt performed penetration testing and cloud security audit. The goal of the security assessment was to ensure that the attackers wouldn t be able to obtain access to restricted data and take control of the systems. At the same time, continuous cloud monitoring was used to track the configurations of cloud-based environments, assess them using a predefined set of rules (GDPR, ISO27001), and raise alerts if there were any deviations from the recommended security baseline or non-compliance with external regulations. Secure Development Practices. DataArt assigned to the project a dedicated security architect who contributed functional requirements for the solution, security policies and security best practices and published technology-specific security requirements and guidelines. These guidelines were accumulated in a separate checklist and their implementation was tracked during the project course. The project specific training for a better understanding of the security requirements was organized for the client s employees as well. Integration of security tools into CI/CD pipeline. SAST and DAST were introduced to check the source code and complied versions of the code for security flaws. Also, Software Composition Analysis was performed to identify potential areas of risk from the use of third-party and open-source software and hardware components.

Contacts New York USA London UK Zug Switzerland Munich Germany Alexei Miller Managing Director +1 (212) 378-4108 New-York@dataart.com Dmitry Bagrov Managing Director +44 (0) 207 099 9464 UK-Sales@dataart.com Alexander Makeyenkov Managing Partner +41 (0) 415 880 158 CH-Sales@dataart.com Konstantin Kazin Managing Director +49 (89) 635 09 128 DE-Sales@dataart.com