Use Case for Cyber Security for Health and Finance Domain
Cyber Security and Information security is integral for businesses to ensure optimum client deliveries and user satisfaction. With the growing number of businesses investing in digital technology and adopting to digital-first mindset, the risk of a cyber breach is increasing. We at IVL, ensure that our deliveries are free from vulnerabilities that might lead to cyber risk.
We connected with Vishal Doiphode, who is the Cyber Security and information security expert for our projects. He has been responsible for ensuring that both the inhouse projects and client deliveries are without any Vulnerabilities that might act as a gateway for hackers. He is working on the ongoing projects from different industry domains of education-nutrition and finance. During our interaction, we understood the process, challenges, solution, and milestones achieved by him and about impacts on his work due to lockdown.
Unlike another testing assignment where there is a specific module involved, here the checks need to be of the overall product or solution. The task initiates with understanding every module of the product, like backend technology, front end technology, hosting, data storage, and handling. The age of the existing system and infrastructure is also important to understand the transformation journey. Testing and sharing the reports to the developers along with guiding the developers on fixing bugs.
Some of the various types of testing are SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and VAPT (Vulnerability Assessment and Penetration Testing). Complete footprinting of the application involves Gap assessment, passive scanning, active scanning, tool scan, and sharing of reports in standard formats and following OWASP top 10 vulnerabilities standard and much more.
Static application security testing is a methodology that analyses source code to find security vulnerabilities, also known as white-box testing. This process ensures a Secure SDLC for the application. Burp suite tool scans applications in a real-life environment post along with rigorous manual testing. Holistic testing includes testing at the application side and the server-side. Just like the application side, the server-side testing is also critical as vulnerabilities in the server might act as an entry to hackers. In-depth manual testing of the overall application, along with testing of redirections and hyper-links helps in ensuring that there are no gaps left.
Creation of Reports
The report creation is a detailed process that involves every activity of the project. It gives a synopsis of the overall testing activities done. The report showcases various systems and web application vulnerabilities. The level of vulnerabilities is on the basis of pre-set criteria and categorized as Critical, High, Medium, and Low. Overall vulnerability severity distribution is based on the standard color-coding parameters.
The report also suggests and recommends actions that the developers can take to resolve the issue. POC- Proof Of Consent from the owners ensures that there are no future discrepancies. The report contains a summary of vulnerabilities and criticality levels and shared with the concerned SPOC. On confirmation from the SPOC of the resolution, there is a re-testing done to ensure proper resolution of the vulnerability. The reports confirm communication with the concerned SPOC and ensure resolution of the same. In incidences, there are exemptions to resolving an issue, but these are recorded for future action.
With constant ongoing development, the checks need to be streamlined. The testing process is a two-cycle process. The testing is rigorous and done by keeping the development on stand-by.
8 use case vulnerabilities of medium and low for our client from the education domain and 15 vulnerabilities for our client from the finance domain.
Here is a synopsis of the vulnerabilities for our projects of various domains:
For the education-nutrition client
For client from Finance domain
For businesses to finally deploy the developed code, a green signal from the security team is a mandate. Change management is enabled through restriction of code deployment in case of a lack of a “no vulnerability” certificate. Cybersecurity threats for businesses are a serious concern and need to be addressed across all platforms.