Beruflich Dokumente
Kultur Dokumente
TASHEE TUD
DA Y
CAINS
IMPROVING THE SECURITY POSTURE
OF APPLICATIONS AND INFRASTRUCTURE
BY APPLYING SCIENCE DIFFERENTLY
DA
TAS DY
HEET • CASE STU
SECURITY@WESECUREAPP.COM • WESECUREAPP.COM
BACKGROUND.
Today, almost all industries acknowledge the significance of cyber security in their
businesses. Because of this, they opt for periodic security assessment for their
applications and network infrastructure which is nothing new. Despite making an effort
to safe-guard their businesses, companies often find themselves falling victim to a wide
array of cyber-attacks.
For the most part, companies get security assessments done for either of these two
reasons:
• To be vulnerability free and / or
• To stay compliant with regulatory bodies
There are many unnoticed observations with period security assessments. One major
observation is that the takeaways from the results of security assessments are finite.
Often, the deliverables are used in the context of communicating possible
vulnerabilities. It is generally believed that resolving these vulnerabilities will simply
safe-guard the enterprise against cyber-attacks.
The missing key here is that there are no tangible takeaways from the deliverables of
these periodic assessments. It is always a report after report that is delivered by your
security vendor or internal security team every quarter. There is just no end to the new
findings. This doesn’t mean periodic security assessments are at fault here - this is how
they are supposed to work. Discovering and fixing the security findings are the primary
objectives for conducting them in the first place.
1
WHAT IS CAINS?
CAINS is a solution suite that aims to incrementally improve the security posture of your
organizations’ applications and network infrastructure by applying science differently.
With an innovative approach, methodology and deliverables, CAINS provides a new
dimension to typical periodic security assessments. Implementation of CAINS will aid in:
QUARTERLY ACTIVITIES
Q1 Q2 Q3 Q4
H1 H2
2
BI-ANNUAL ACTIVITIES
WHAT DO YOU GET?
When implementing CAINS, we closely monitor and control the entire process to ensure
the efficiency of the assessment. Our high involvement will insure the following:
REDUCTION OF VULNERABILITIES
During typical periodic security assessments, it is often found that vulnerabilities of a similar
nature are found. The root of this problem has to do with the coding standards of the development
team. Based on the assessments carried out in initial quarters, a tailor-made training program is
designed within the context of the discoveries made in your applications. This will help the
development team in writing secure code. This will not only eliminate the scope for making
commonly repeated vulnerabilities but also improves the quality of code by a measurable amount.
Typically, periodic assessments are carried out by multiple vendors for various assessment
activities. This leads to management lacking a clear view on their organization’s security posture.
CAINS takes assessments typically needing multiple suppliers and combines them into a single
set of reports for management to interpret. We avoid possible confusion by using nontechnical
language and recommending practices to correct the issues we discovered.
All technical reports that are delivered as part of CAINS are compliance ready, meaning they can
be utilized when your organization is undergoing any kind of compliance audit.
Like previously stated, typical security assessments require use of multiple vendors. By taking
advantage of WeSecureApp’s CAINS solution, you cut costs as instead of dealing with multiple
separate organizations it’s all us!
3
METHODOLOGY.
A HYBRID APPROACH: MANUAL AND AUTOMATED TESTING
With the use of automated scanners, in-house tools, scripts and manual testing methods,
we actively set the industry benchmark in security assessments. We collect large amounts
of data with automated testing tools and use that data to conduct manual testing methods
to explore further what will help us discover vulnerabilities. This hybrid approach ensures
that your application and organization are thoroughly covered and secure against
potential attacks.
WONDERING HOW
CAINS CAN HELP
YOU?
TAKE A LOOK AT THIS CASE STUDY >
4
HOW A TRAVEL TECH COMPANY
BENEFITED FROM SUBSCRIBING
TO CAINS.
CHALLENGES >
Apart from running legacy services, their applications also run many modern web services that is built
on latest technology stack to power mobile applications. The deployment model is a mix-and-match
of on-cloud and on-premise. Below are the major problems that they had and went unnoticed until
CAINS was implemented.
4
OUTCOME >
Based on the results of initial assessments, we were able to pinpoint the insecure coding
standards which minimized the critical findings.
Q1 Q2 Q3 Q4
As we are progressing with the activities, we noticed a great improvement in the quality of
code as result of our tailor-made secure coding practices training.
CONCLUSION >
After analyzing all discovered vulnerabilities, we developed a successful developer training program
which directly lowered the vulnerability recurrence by up to 34% from quarter-to-quarter. This alludes
to an overall improvement in security posture which will continue to develop as their development team
refines their skills and secure coding practices as time progresses.
5
DON’T TAKE OUR WORD FOR IT.
TAKE THEIRS INSTEAD.
BEN JOHNSON
CTO • LEGALINC
DALLAS, TX