T • CASE S

TASHEE TUD
DA Y

CAINS
IMPROVING THE SECURITY POSTURE
OF APPLICATIONS AND INFRASTRUCTURE
BY APPLYING SCIENCE DIFFERENTLY

DA
TAS DY
HEET • CASE STU

SECURITY@WESECUREAPP.COM • WESECUREAPP.COM
BACKGROUND.
Today, almost all industries acknowledge the significance of cyber security in their
businesses. Because of this, they opt for periodic security assessment for their
applications and network infrastructure which is nothing new. Despite making an effort
to safe-guard their businesses, companies often find themselves falling victim to a wide
array of cyber-attacks.

For the most part, companies get security assessments done for either of these two
reasons:
• To be vulnerability free and / or
• To stay compliant with regulatory bodies

There are many unnoticed observations with period security assessments. One major
observation is that the takeaways from the results of security assessments are finite.
Often, the deliverables are used in the context of communicating possible
vulnerabilities. It is generally believed that resolving these vulnerabilities will simply
safe-guard the enterprise against cyber-attacks.

The missing key here is that there are no tangible takeaways from the deliverables of
these periodic assessments. It is always a report after report that is delivered by your
security vendor or internal security team every quarter. There is just no end to the new
findings. This doesn’t mean periodic security assessments are at fault here - this is how
they are supposed to work. Discovering and fixing the security findings are the primary
objectives for conducting them in the first place.

However, by streamlining the process and exercising the deliverables of periodic

security assessments; it is possible to derive much more value that would just improve
the overall security maturity index of an enterprise over a period of time.

1
WHAT IS CAINS?
CAINS is a solution suite that aims to incrementally improve the security posture of your
organizations’ applications and network infrastructure by applying science differently.
With an innovative approach, methodology and deliverables, CAINS provides a new
dimension to typical periodic security assessments. Implementation of CAINS will aid in:

• Building a balanced application and network security assurance program.

• Evaluating an organization’s existing application development security practices.
• Gaining visibility on overall security maturity health index that is tangible.
• Staying compliant with regulatory bodies.

HOW DOES IT WORK?

CAINS starts with a 12 months engagement program that is designed to execute security
assessments and other activities to incrementally improve the overall security maturity
index of your organization. As a result, the number of findings that are uncovered during
the assessment will decrease every quarter.

QUARTERLY ACTIVITIES

APPLICATION VAPT • INTERNAL NETWORK VAPT • EXTERNAL NETWORK VAPT

Q1 Q2 Q3 Q4

H1 H2

SECURE CODE REVIEW • CLOUD REVIEW • SECURE PRACTICES DEV TRAINING

2
BI-ANNUAL ACTIVITIES
WHAT DO YOU GET?
When implementing CAINS, we closely monitor and control the entire process to ensure
the efficiency of the assessment. Our high involvement will insure the following:

REDUCTION OF VULNERABILITIES

During typical periodic security assessments, it is often found that vulnerabilities of a similar
nature are found. The root of this problem has to do with the coding standards of the development
team. Based on the assessments carried out in initial quarters, a tailor-made training program is
designed within the context of the discoveries made in your applications. This will help the
development team in writing secure code. This will not only eliminate the scope for making
commonly repeated vulnerabilities but also improves the quality of code by a measurable amount.

VISIBILITY OVER SECURITY MATURITY INDEX

Typically, periodic assessments are carried out by multiple vendors for various assessment
activities. This leads to management lacking a clear view on their organization’s security posture.
CAINS takes assessments typically needing multiple suppliers and combines them into a single
set of reports for management to interpret. We avoid possible confusion by using nontechnical
language and recommending practices to correct the issues we discovered.

COMPLIANCE READY REPORTS

All technical reports that are delivered as part of CAINS are compliance ready, meaning they can
be utilized when your organization is undergoing any kind of compliance audit.

STABILIZING THE APPLICATION & NETWORK INFRA. SECURITY BUDGET

Like previously stated, typical security assessments require use of multiple vendors. By taking
advantage of WeSecureApp’s CAINS solution, you cut costs as instead of dealing with multiple
separate organizations it’s all us!

3
METHODOLOGY.
A HYBRID APPROACH: MANUAL AND AUTOMATED TESTING

With the use of automated scanners, in-house tools, scripts and manual testing methods,
we actively set the industry benchmark in security assessments. We collect large amounts
of data with automated testing tools and use that data to conduct manual testing methods
to explore further what will help us discover vulnerabilities. This hybrid approach ensures
that your application and organization are thoroughly covered and secure against
potential attacks.

WONDERING HOW
CAINS CAN HELP
YOU?
TAKE A LOOK AT THIS CASE STUDY >

4
HOW A TRAVEL TECH COMPANY
BENEFITED FROM SUBSCRIBING
TO CAINS.

ABOUT THE CLIENT >

Our client is one of the leading travel tech companies in Asia. Their travel applications are a one stop
destination for ticketing for flights, trains, and buses. They offer web and mobile applications to their
consumers.

CHALLENGES >
Apart from running legacy services, their applications also run many modern web services that is built
on latest technology stack to power mobile applications. The deployment model is a mix-and-match
of on-cloud and on-premise. Below are the major problems that they had and went unnoticed until
CAINS was implemented.

• Lots of commonly repeated vulnerabilities.

• Management doesn’t have a clear visibility over the security of their digital
• assets as multiple vendors are involved for various activities.
• Turn around time to fix a vulnerability is too high.

HOW CAINS HELPED THEM >

With the first round of assessments, we gained a clear understanding on the stance of our client’s
security posture. We identified vulnerabilities of similar nature that were being repeated. Based on
that, we developed a tailor-made training program for the development team.

4
OUTCOME >

INCREMENTAL IMPROVEMENT IN TOTAL NUMBER OF CRITICAL

FINDINGS QUARTER BY QUARTER

Based on the results of initial assessments, we were able to pinpoint the insecure coding
standards which minimized the critical findings.

Q1 Q2 Q3 Q4

REDUCING THE DISCOVERY OF REPEATED VULNERABILITIES

% OF REPEATED
Since we were the sole provider for the entire FINDINGS BY QUARTER
assessment, we were able to view all of the 50%
findings and use them to provide a tailor-made
solution. Based on the findings, we created a 25%
developer training program which educated the
developers on the mistakes they made, and how to N/A
45% 29% 10%
avoid them with secure coding practices.
Q1 Q2 Q3 Q4

IMPROVEMENT IN QUALITY OF CODE

As we are progressing with the activities, we noticed a great improvement in the quality of
code as result of our tailor-made secure coding practices training.

CONCLUSION >
After analyzing all discovered vulnerabilities, we developed a successful developer training program
which directly lowered the vulnerability recurrence by up to 34% from quarter-to-quarter. This alludes
to an overall improvement in security posture which will continue to develop as their development team
refines their skills and secure coding practices as time progresses.

5
DON’T TAKE OUR WORD FOR IT.
TAKE THEIRS INSTEAD.

“ WSA SOLVED OUR SECURITY

PROBLEMS THROUGH THEIR SOLUTION
CAINS. THEY HELPED US NOT ONLY IN
FINDING POTENTIAL VULNERABILITIES
IN OUR APPLICATIONS BUT ALSO
TRAINED OUR DEVELOPERS TO ENSURE
THE VULNERABILITIES ARE NOT
REPEATED IN FUTURE RELEASES.
OVERALL IN ONE YEAR, WE HAVE SEEN
THAT OUR APPLICATION SECURITY
POSTURE IMPROVED MULTI-FOLD. ”

BEN JOHNSON
CTO • LEGALINC
DALLAS, TX