Solving security issues at the architecture level for a global insurance company
|
| Occupation: We analyzed an e-business framework from the perspective of application level attacks. We detected several security problems, one of which would allow an attacker to steal passwords and other personal information from legitimate users. Because this problem was rooted at the architecture level, we were able to apply an elegant solution, based on design patterns, which corrected the problem without requiring significant reprogramming at the application level. Going further, we discovered that numerous applications built to the framework had implemented their own database access routines, some of which were vulnerable to SQL injection attacks. The responsible project managers were notified and the applications brought into line with the framework. |
Customer Value: Security moved to a high level where it is easily managed, resulting in reduced costs and risks for future projects. |
|
|
Highest security for single-sign-on at a major banking house
|
Occupation: We examined a single sign on (SSO) system which was in the late design stages before production. The system provided SSO functions for internet and intranet users. Fortunately, we were able to identify two important security problems, which would have resulted in internal users being able to steal each other's passwords. Since one of the systems was used to move very large sums in inter-bank transfers, security needed to be at its highest. Furthermore, as the application was integrated into a web portal, a special solution for controlling sessions (timeouts, extra session identifiers, etc.) was required. We designed corrective measures for several such issues and the customer undertook to fix the problems themselves.
|
Customer Value: Extremely high security measures provide extra protection for critical applications, while the design permits easy integration into the existing infrastructure. This means reduced development effort and simultaneously higher security. |
|
|
Secure development process for an international telecommunications provider
|
| Occupation: The provider developed a highly integrated system for its business processes based on an enterprise service bus. We provided application security experts to oversee the security for this system during the course of development. We analyzed the infrastructure for security flaws and as a result, numerous issues were detected in time to correct them in earlier phases of the project. Because of the project size (hundreds of man-years of development), this resulted in enormous cost saving for the customer, who would have either had to a) accept an insecure system or b) make major changes at the late stages of development. Ultimately, we delivered hardening guidelines for the various infrastructure components (Bea WebLogic, JBoss, TIBCO, etc.). |
Customer Value: A secure development lifecycle process is in place. Enormous cost savings due to early flaw detection. Infrastructure components are properly hardened. |
|
|
Complete security seminars for a major insurance company
|
| Occupation: We created a complete series of seminars that took developers through all of the stages of security knowledge necessary to create secure applications. These seminars were coupled with supporting measures that let managers and architects monitor the security of their applications during the development phase. |
Customer Value: Managers are now "security aware". Developers know how to program securely. A process is in place to ensure secure development. |
|
|
Penetration tests lead to new security policies at a global finance company
|
| Occupation: Existing web applications and infrastructure were subjected to rigorous application level penetration tests. Numerous flaws were detected, all of which pointed to a lack of clear policy for application development. After demonstrating and correcting the security flaws, we worked intensively with the development department and the security department to create an "application security policy". Now, using the policy, project managers know what security requirements they must meet at the programming level (for example session management). |
Customer Value: The penetration test demonstrated clearly how far the organization was from achieving even a moderate level of security and led to strategic documents in the form of policies. Both developers and security officers applaud the clarity that they bring --- and they work better together now, given their common understanding. |
|
|
References 
