[Case Study] - Enhancing Security Posture of a Product with Multiple Versions and Deployment Models

Background
ACME Inc., one of the data analytics company, offers a robust product providing flexibility of customization. The product is designed to provide multi-tenant support, ensuring seamless deployment in the cloud environment. To cater to the specific needs of its customers, ACME also offers the product under an on-premise deployment model. The company supports feature customization and custom feature development to meet the unique requirements of its customers.

The customization offered by ACME for their product help them gain a high level of customer retention. However, this flexibility comes with a cost of maintaining multiple versions and builds of the same product. ACME faces significant challenges in maintaining the security posture of its product deployments. A scenario where different customers use different build versions with different features and third-party integrations, makes it difficult to ensure consistent security across the board.

Challenges Presented to Blueinfy

1. Maintaining Security Posture: Ensuring the security of every version/deployment of the product due to the nature and architecture of the product (to add the problem, there is no real good documentation of the deployed features which is expected for any product company).
2. Vulnerability Management: Identifying and managing vulnerabilities in the core engine and specific build versions during secure code reviews because different versions have mutually exclusive features and use different third-party libraries.
3. Customer Impact Identification: Identifying which customers are impacted by specific vulnerabilities and sharing patches/upgrades with them.
4. Prioritizing Development Efforts: Determining the most vulnerable components and prioritizing the development team's efforts to fix higher-risk areas of the product.

Solution by Blueinfy

ACME Inc. engaged Blueinfy to address these challenges. Blueinfy implemented a comprehensive strategy leveraging their security expertise and advanced tools.

1.  Automated Code Scanning

• Used a Static Application Security Testing (SAST) tool to scan the code of each version of the product
• Execute Software Composition Analysis (SCA) to scan third-party dependencies for security vulnerabilities

2.  Result Management and Comparison with Custom Automation Script

• SAST tools traditionally manage and triage vulnerabilities of individual scans and some provide facilities to compare results of multiple scans
• In this specific scenario, result comparison and analysis were required to be drilled down to the product’s specific version and source code component level
• Blueinfy team developed custom scripts to automate the process of running code scans, extracting results, managing version and component-specific scan results, and aggregating scan results to generate pivotal metrics

3.  Unique Vulnerability Extraction and Risk Rating

• Leveraging their security expertise and programming knowledge, Blueinfy team automated the process to extract unique vulnerabilities
• Developed a system to risk-rate product versions based on the identified vulnerabilities and their number of occurrences, aiding in setting priorities

4.  Vulnerability Data Analysis

• Performed data analysis to segregate vulnerabilities based on CVE/CWE, product components, libraries, and severity
• Integrated the CISA Known Exploited Vulnerabilities (KEV) catalog with the data analysis script to identify product dependencies with known exploited vulnerabilities and prioritize dependency upgrades

5.  Statistical Metrics to Support Decision Making

• Generated various metrics to showcase the most common vulnerabilities, product components with critical and high severity vulnerabilities, most vulnerable dependencies, clients at risk with product versions having severe vulnerabilities, and more such pivotal matrices
• Provided visual and data-driven insights to make decision-making easier for the ACME team

Impact and Results
The comprehensive approach adopted by Blueinfy yielded significant results for ACME Inc.:

1. Risk Rating and Strategic Decisions: The company was able to risk rate their product versions effectively. This risk rating facilitated strategic decisions regarding time and cost investment across different product versions.
2. Focused Development Efforts: By identifying the most vulnerable components and prioritizing them, the ACME team could allocate development resources more effectively, addressing higher-risk areas promptly.
3. Enhanced Security Posture: Improved the identification and management of vulnerabilities, enhancing the overall security posture of all product versions.
4. Improved Customer Impact Management: With a clearer understanding of which customers were impacted by specific vulnerabilities, ACME company was able to share patches and upgrades more efficiently, leading to increased customer trust and satisfaction.

The engagement with Blueinfy enabled ACME Inc. to overcome significant challenges in maintaining the security posture of their product. The automated processes, comprehensive analysis, and strategic insights provided by Blueinfy not only improved security management but also facilitated better decision-making and resource allocation. This case study highlights the importance of working experience with advance tools and expertise in managing security for product environments with multiple versions.

Article by Maunik Shah & Hemil Shah