Background
ACME is a prominent player in the Customer Relationship Management (CRM) industry, renowned for its robust cloud-based platform. This platform is equipped with a variety of built-in features, including leads, orders, contacts, accounts, and user management capabilities. Designed to meet diverse customer needs, ACME’s platform allows users and vendors to extend functionalities through a proprietary programming language. This flexibility enables the development of custom solutions that can be deployed on ACME's Marketplace, fostering innovation and user engagement.
However, the very features that provide flexibility and customization also introduce significant security vulnerabilities. As applications developed on the platform operate within the same environment as built-in features, insecure applications can jeopardize the entire system, exposing users to various risks and potentially damaging ACME's reputation. Thus, it becomes extremely important for the ACME to protect their platform itself as well as the data of users whenever users use the Marketplace apps developed by a third party.
Challenges
Security Risks: The ability for users and vendors to create custom applications raised concerns about the security of these applications, as vulnerabilities could be exploited to compromise the entire platform.
Inefficient Security Review Process: The existing security review process was time-consuming, particularly due to the limited coverage of automated Static Application Security Testing (SAST) scanners for the custom programming language used on the platform.
Manual Review Limitations: Conducting thorough manual reviews was essential but resource-intensive, leading to delays in application deployment.
Solutions
To address these challenges, ACME partnered with Blueinfy to develop a comprehensive security review strategy. The approach included several key components:
Tailored Security Review Process: Blueinfy's experts conducted an in-depth analysis of ACME's platform, focusing on its built-in features and the unique programming language.
Checklist and Automation: A checklist of insecure coding practices was created, specifically tailored to the platform's programming language. Blueinfy developed specialized utilities to detect insecure coding patterns within the applications, enhancing the efficiency of the review process. This checklist and utilities served as a foundational tool for identifying vulnerabilities in custom code.
Focused Manual Code Reviews: The team performed manual code reviews, concentrating on the identified insecure patterns, while also addressing false positives and negatives to ensure accuracy.
Blackbox Testing: External endpoints were identified from the code, and manual blackbox testing was conducted on these endpoints to further validate security.
Outcome
The implementation of this systematic security review process yielded significant improvements for ACME:
Enhanced Security: The comprehensive review process allowed for the early identification of vulnerabilities, thereby strengthening the overall security of the platform and its applications.
Reduced Review Time: By streamlining the security review process, ACME was able to validate applications more efficiently, significantly reducing the time required for comprehensive security assessments.
Conclusion
By implementing these strategies, ACME not only fortified its platform against potential threats but also established a model for ongoing security improvement in the rapidly evolving landscape of cloud-based applications.
Article by Amish Shah