[Case Study] Building and Running an effective Application Security Program for a global biotechnology company

Client Overview
ACME is a global biotechnology company committed to strengthening their internal IT and application security program. They partnered with Blueinfy to develop and implement a robust application security strategy that integrates seamlessly into their development lifecycle. 

Partnership with Blueinfy

Team Structure
Technical SME - Application Security

  • Technical Point of contact for Application Security & Web Penetration Testing.
  • Technical support in end to end application security life cycle management.
  • Identify and drive continuous process improvements across security programs and services.
  • Resolve roadblocks through driving trade-off decisions to move work forward.
  • Provide strategic direction and subject matter expertise for wide adoption of DevSecOps automation.
  • Develop and promote best practices for DevSecOps and secure CI/CD.
  • Stay up-to-date on new security tools & techniques, and act as driver of innovation and process maturity.
  • Perform threat modelling and design reviews to assess security implications of new code deployments.

Manager - Application Security

  • Administrative Point of contact for Application Security & Web Penetration Testing
  • Accountable and responsible for overflow responsibilities from senior security leadership
  • Identify and drive continuous process improvements across security programs and services
  • Resolve roadblocks through driving trade-off decisions to move work forward
  • Deliver correct security results to the business units
  • Tracking, monitoring and influencing priority of significant application security objectives and plans
  • Provide strategic direction and subject matter expertise for wide adoption of DevSecOps automation.
  • Develop and promote best practices for DevSecOps and secure CI/CD.

Actions Taken

  • The Blueinfy team actively engaged with the development team, attending sprint cycle calls to understand their workflow and challenges.
  • Created documentation and collaborated with management to integrate application security into the development cycle, ensuring security was an integral part of the process rather than a hindrance.
  • Proposed a process for penetration testing and code review where discovered vulnerabilities were mapped directly to the code, facilitating clear remediation actions for developers. This approach led to a smooth buy-in from the development team, resulting in applications being deployed with no critical or high-risk vulnerabilities.

SAST Implementation
SAST SME

  • Work as SAST SME
  • Develop and implement SAST strategies and methodologies tailored to Genmab's needs.
  • Lead the selection, implementation, and customization of SAST tools and technologies.
  • Conduct thorough static code analysis to identify security vulnerabilities, coding flaws, and quality issues.
  • Collaborate with development teams to integrate SAST into CI/CD pipelines and development processes.
  • Provide guidance and support to developers on secure coding practices and remediation of identified issues.
  • Perform code reviews and audits to ensure compliance with security policies, standards, and regulatory requirements.
  • Stay updated on emerging threats, vulnerabilities, and industry trends related to application security.
  • Create and maintain documentation, including SAST procedures, guidelines, and best practices.
  • Work closely with cross-functional teams, including security, engineering, and IT operations, to drive security initiatives and improvements.
  • Act as a trusted advisor to management and stakeholders on SAST-related matters.

SAST Tool Selection

  • A comprehensive list of requirements was created and shared with stakeholders, including development and infrastructure teams.
  • Evaluated SAST products based on required features, scoring each product to determine the best fit.
  • Selected and purchased the most suitable SAST tool based on evaluation results.
  • Integrated the tool into the CI/CD pipeline, ensuring early detection of vulnerabilities and removal of false positives.

Outcome
With the comprehensive application security program, including SAST, penetration testing, and code reviews, ACME successfully secured all their applications before they went into production. This proactive approach ensured that vulnerabilities were addressed early in the development cycle, enhancing the overall security posture of ACME's applications.

Article by Hemil Shah