[Case Study] Expanding Application Security Services through Strategic Partnership

Background
ACME, a leading application security provider, has established itself as a trusted name in the industry through its proprietary scanner and manual penetration testing services. With a majority of its business derived from its advanced scanner, ACME offers its customers a comprehensive application that provides seamless access to security testing results. The platform also enables pentesters to upload their findings manually or in XML/JSON format, ensuring flexibility and convenience for its users.

Challenges
As ACME continued to grow, the demand for on-demand manual penetration testing services increased significantly. Despite the efficiency of its scanner, ACME faced challenges in scaling its manual pen-testing services to meet the needs of its expanding customer base. To maintain its reputation for delivering high-quality, reliable results, ACME needed to ensure that its manual testing services could keep pace with the growing demand without compromising on quality.

Solution
To address this challenge, ACME reached out to Blueinfy known for delivering cutting-edge penetration testing services with exceptional accuracy. ACME sought to partner with Blueinfy to provide application penetration testing services to its customers, allowing ACME to scale effortlessly and ensure the availability of a skilled on-demand testing team when needed.

Implementation
ACME began sub-contracting its manual penetration testing work to Blueinfy, leveraging Blueinfy's expertise to enhance its service offerings. Recognizing the need for seamless integration between the two companies, Blueinfy developed a specialized tool that converts Word reports into XML/JSON formats, enabling ACME to easily import results into its application. This tool not only streamlined the reporting process but also ensured that ACME's customers continued to receive consistent, high-quality results. 

In addition to delivering accurate and detailed penetration testing reports, Blueinfy provided comprehensive support to ACME's customers. This included walkthrough calls to understand the application, as well as report readout sessions to ensure a thorough understanding of the results. Blueinfy's commitment to customer support further solidified the partnership, enhancing ACME's reputation for delivering exceptional service.

Results

The partnership between ACME and Blueinfy proved to be a resounding success. By outsourcing its manual penetration testing services to Blueinfy, ACME was able to expand its service offerings to existing customers while also attracting new business. The collaboration allowed ACME to scale its operations with ease, ensuring that it could meet the growing demand for high-quality manual testing services without compromising on the accuracy and reliability of its results.

Conclusion
The strategic partnership with Blueinfy enabled ACME to enhance its application security services, providing its customers with a comprehensive solution that combined the efficiency of its scanner with the precision of manual penetration testing. Blueinfy's expertise and commitment to quality played a pivotal role in ACME's success, allowing the company to expand its market presence and solidify its position as a leader in the application security industry.

Article by Hemil Shah

[Case Study] Enhancing Security for a Data Analytics SaaS Company

Client Overview
A data analytics SaaS company specializing in complex features such as data collectors, transformers, and multiple cloud integrations faced significant challenges in ensuring the security of its platform. The intricate nature of their system, combined with the need for a proper test environment and thorough understanding of the system, made security reviews particularly difficult.

Challenges

  • The platform included numerous data collectors and transformers, each requiring specific configurations and deep system knowledge to test effectively.
  • Multiple cloud environments needed to be set up accurately to mimic the production environment.
  • A lack of proper testing setups led to incomplete security reviews, making it difficult to identify and address potential vulnerabilities.
  • Automated scanners were insufficient to handle the platform’s complex workflows, often missing critical issues or generating false positives.


Blueinfy's Approach
Blueinfy was engaged to perform a thorough security review, leveraging its expertise in complex system testing. The approach included:

1. Documentation Review
Blueinfy began by meticulously reviewing the platform's documentation to gain a comprehensive understanding of the system’s architecture and features.
2. Cloud-Based Test Environments
The team set up cloud-based test environments that mirrored the production setup, ensuring accurate and relevant testing conditions.
3. Data Sets Loading and Configuration
Blueinfy loaded various data sets into the system and configured multiple data flows to simulate real-world usage, testing how the platform handled different scenarios.
4. Running Collectors and Engines
Various data collectors and engines were run to test the robustness and security of each feature, checking for potential vulnerabilities in the data flow and processing mechanisms.
5. Black-Box Penetration Testing
Blueinfy conducted black-box penetration testing on each feature, focusing on finding hidden vulnerabilities that could be exploited by attackers. The testing was designed to mimic potential attack vectors without prior knowledge of the internal workings of the system.


Results
The engagement led to the discovery of several critical and high-risk vulnerabilities that were previously undetected by automated scanners. Blueinfy provided a comprehensive report detailing these findings, along with actionable recommendations for remediation.

Comprehensive Report
The final report included a detailed analysis of the vulnerabilities, their potential impact, and step-by-step recommendations for fixing them.

Successful Remediation
The client implemented the recommended fixes, significantly enhancing the security of their platform.

Client Satisfaction
The company was highly satisfied with Blueinfy’s testing methodology, particularly noting that it outperformed automated scanners in dealing with the platform’s complex workflows.

Conclusion
Blueinfy’s thorough and methodical approach to security testing enabled the data analytics SaaS company to identify and remediate vulnerabilities that could have posed significant risks to their platform. The success of this engagement highlights Blueinfy’s capability to handle complex systems and provide tailored security solutions that go beyond standard automated testing tools.

Article by Amish Shah

[Case Study] Running and enhancing Application Security Program for an investment company

Company Overview
ACME is a prominent investment company with a diverse portfolio, spanning three major business lines and over 50 brands. The company sought to implement a robust global application security program to safeguard its digital assets and enhance its overall security posture.

Existing Security Program
ACME’s existing application security framework included:

  • Regular application penetration testing conducted by external vendors.
  • A program intended to manage and respond to reported vulnerabilities.
Despite these measures, ACME faced significant challenges:
  • The average time to resolve critical or high-risk vulnerabilities was 98 days.
  • The internal Application Security (AppSec) team consisted of only two members, one of whom left during the assessment period.


Challenges Identified
1. Inadequate Application pen testing quality
The external vendor’s application pen testing was more like a Dynamic Application Security Testing (DAST) scans which even did not effectively manage false positives, compromising the integrity of the pen-testing results. This resulted in push back from brands which was very obvious.  

2. VDP Scope Issues
The VDP program had inaccuracies in the domain list, and not all domains were included, resulting in incomplete vulnerability coverage. 

3. Communication Gaps
There was a lack of clear communication and follow-ups with Business Units (BUs), leading to delayed responses and unresolved vulnerabilities.

4. Absence of Management Reporting
ACME management did not receive comprehensive management reports, affecting the visibility of security issues and progress.

5. Incomplete Pen-Test Scope
The scope of pen-tests was sometimes incomplete, with certain domains omitted from the assessment.

Obviously, there seems to be huge gap in application security program and one can say, the program was not in good shape.

Strategic Approach by Blueinfy

To address these issues, Blueinfy was brought in to revamp ACME’s application security program with a strategic and multi-faceted approach:

1. Building Stronger BU Relationships

  • Blueinfy established direct communication channels with BUs to ensure that critical and high-risk vulnerabilities were addressed promptly.
  • Implemented a structured process to enforce vulnerability fixes, leading to a remarkable reduction in resolution times from 98 days to just 4 days within the first year.

2. Enhancing Pen-Test Quality

  • Worked closely with the existing vendor to improve the quality and accuracy of pen-test results. This included refining the DAST scanning process and ensuring effective management of false positives.

3. Refining VDP Scope

  • Corrected inaccuracies in the VDP domain list to ensure complete coverage of all relevant domains.
  • Updated the VDP program to include all necessary domains, enhancing vulnerability management.

4. Improving Communication and Documentation

  • Created comprehensive documentation, including policies and FAQs, to provide BUs with clear instructions and improve communication.
  • Implemented a robust follow-up mechanism to ensure timely resolution of vulnerabilities and effective coordination with BUs.

5. Scope Verification

  • Worked with BUs to confirm and refine the scope of pen-tests, ensuring that all relevant domains were included in the assessments.


Results Achieved
Significant Reduction in Resolution Time
The time to fix critical and high-risk vulnerabilities was reduced from 98 days to 4 days within the first year, demonstrating a substantial improvement in response efficiency.

Enhanced Pen-Test Quality
Improved the accuracy and reliability of pen-test results through better management of false positives and refined testing processes.

Complete VDP Coverage
Achieved accurate and comprehensive domain coverage in the VDP program, leading to more effective vulnerability management.

Better Communication and Documentation

Established clear guidelines and improved communication with BUs, facilitating faster resolution of security issues.

Scope Accuracy

Ensured that pen-test scopes were complete and accurate, covering all relevant domains.

Program Enhancement in the Second Year

To further advance ACME’s application security program, Blueinfy implemented the following measures:

1. Pen-Testing

  • Blueinfy took over the pen-testing process to deliver higher quality and more accurate results, leveraging Blueinfy’s expertise.


2. Quarterly DAST Scans

  • Established a quarterly DAST scanning program, including false positive removal, to ensure ongoing security assessment.


3. Risk-Based Approach to save cost

  • Implemented a risk-based approach, where high-risk applications were prioritized for pen-testing, and medium/low-risk applications were scanned using DAST.
  • Optimized resource allocation by focusing efforts on high-risk areas and utilizing automated scans for less critical assets.


4. Management Dashboard

  • Collaborated with ACME’s development team to create a management dashboard using Google Objects, providing better visibility and reporting on application security metrics.


5. On-Demand SAST Program

  • Implemented a Static Application Security Testing (SAST) program for on-demand code scanning, enhancing the ability to detect and address security issues early in the development process.


Conclusion

Through a combination of strategic improvements and tactical execution, Blueinfy successfully enhanced ACME’s global application security program. The comprehensive approach led to substantial reductions in vulnerability resolution times, improved quality of pen-testing and scanning, and better overall management of application security. The ongoing program enhancements have positioned ACME to effectively manage its security posture and respond proactively to emerging threats, ensuring a robust defense against potential vulnerabilities.

Article by Hemil Shah