0

Cyber Security Obligations for Applications & Security Compliance

App Bits & Bytes

Applications can be applicable to web, static, mobile, wearable or standalone functioning centralized, peer-to-peer or distributed fashion.

From cyber security perspective, primarily focusing secure web and applications (mobile, wearable and static), applets, API’s or AI bots development at early stage for IoT digital community is the fundamental security threats preventative initiatives. Poor software, applications and codes development practice; not comply with frameworks and standards; and not conducting cyber security awareness activities are the major concerns for cyber security confidentiality breaches. Weak encryption, hashing, algorithms and poor protection of information handling approaches directed to the integrity breach.  Lack of AI, analytic tools, automated bots and human analytic adoption invites advanced persistence attacks.

Web App Security Fundamentals

As a rule of a thumb, most Zero-day vulnerabilities expose to persistence attacks that are exploitable, multiplying security risks and poses grave concerns to any organizations. Articulating the fundamental architectural flaws during requirements gathering & analysis, design and development phases of the application development lifecycle is a must logical inclusion within security developers’ community.

OWASP compliance test is desirable during software development lifecycle or agile methodology adopted throughout the secure application or software development. OWASP test framework is adopted within SDLC, agile methodology. For an instance, OWASP methodology adopted to make product matured by boosting the immunity from cyber security risks. OWASP framework could be used frequently to mitigate zero-day vulnerabilities.

Collaboration of OWASP and human testing talents are used while malware re-engineering that requires digital lab forensic analysis, Rigo’s digital lab team fused together to dissect the malware anatomy, code-laws discipline, symptoms, its incubation periods, communicable strategy and mutation tactics. Mismanagement of these types of advanced persistence wild threats and characteristics at early stage liberates exploitation on application flaws that energies ferocious cyber-attacks.

Rigo engages its Red team for both automated and intense manual test to gauze the security vulnerabilities and no “second chance” strategy for any potential security risks in first place. Rigo’s unique unmatched manual web, mobile and standalone applications testing process is world class, performed by sophisticated white hat hackers and bounty bug hunters.

For an instance in some cases application owner charged for $$$$$ for each zero-day bugs. There Rigo’s hackers meet the other side of hackers to socialize a contest to demonstrate the world class hacking capability for the legal or good cause.

Rigo cyber strategy defines that secure applications are categorized as in-house developed, customized or acquired. In-house software development could go to intense code verification, validation and certified prior release for EULA. Releases, patches and fixes are evolutionary part of in-house development team.

Customized applications can be subject of functional tests and some parts of code testing is mandatory, where both in-house owned and vendor developers are engaged for security test.

On acquired commercial software or applications only features and functions are subject for testing, mostly users, external pen-testers and providers converged for both beta and user acceptance testing.

Maintenance hooks & backdoors, code defects, soft-targets across all four tiers (web to app to dbase to storage) of computer systems and infrastructure architecture. Generic security testing performed over product development and its transformation, mainly focus for soft test that includes Bios, flash drives, HDD, external drives, backup drives, storage devices, covert channels, codes, hardware resources (CPU, memory) and IoT equipment. Testing are done from end users applications, devices to on premise infrastructures and then up to the cloud.

Security Concerns Throughout Applications Life-cycle

  • Application requirements collection & analysis phase security concerns.
  • JAD and RAD security concerns sessions for application development
  • Application testing for security flaws during the design phase
  • Application testing during the development or coding phase for security bypass if-else checks
  • Authentic code analysis or vulnerability assessment to be performed constantly
  • Application security test during implementation phase converge both automated and manual security testing procedures, mostly focusing on stress test, tcp flooding, DDoS, MIM attacks, authentication & authorization bypass, SQL injection, CRF, CRX, and data integrity testing.
  • Optional, but in request, Rigo performs resources specific stress and aggressive tests such as memory starvation, CPU oversubscription, and resources constraints analysis to optimize the application maturity and to uncover the covert channels.
  • Application 360 degree performance test as black box test, white box test, grey box tests. Three different groups of RigoTechnology will be involved for three different kinds of test. 1.) Rigo team/tester involved during design test will not be part of this test as he/she is aware of all the built out details (white-box test); 2.) Those design details will not be disclosed until the black-box test is completed by second group (black-box test); 3.) In later stage, both teams will be fused on analysis of the test results and socialize their interests, ideas and experiences to make the product more tamper proof and secured during beta testing (grey-box test).
  • As a part of user acceptance test, Rigo engages to observe security risks while deploy the product on client’s infrastructures and systems, then offers continue security as a managed services contracts along with SOC if needed. Both on premise and cloud solutions are provided.
  • Social engineering tactics also utilized to test the systems and IMS (Identity Management Systems) during the course of security awareness training.
  • Due diligent act of global jurisdictions and law practices for information handling methods incorporation within application development program and testing prevents from legal fines and felony charges across the global jurisdictions.

Security Compliance for Applications

Security Compliance HIPAA

PHI (Personal Health Information) and medical information protection and its integrity is critical, equally significant for both providers and patients. Cyber criminals’ preying eyes on these low hanging fruits are being headlines of PHI data breach throughout the 2016 and rising early 2017. PHI data management, secure access, storage and manipulating requires strong security measures. For an instance any wearable, mobile or static applications used for PHI access and handling must be secure and the applications built for this purpose must comply HIPAA act.

Security Compliance SOX

Public, finance and accounting private firms must comply with SOX bylaws and regulations to maintain data integrity, accuracy, and security of the finance related data and information management and handling. SOX compliant software or applications, systems, users and applications logs and events management for audit purpose are part of SOX regulations. Other IT monitoring tools and technologies integrated or embedded to applications used to add, delete or modify finance related data must fully comply with SOX.

Security Compliance FISMA

Federal Information Security Management Act (FISMA) instructs all the government entities, organizations and contractors to protect confidential government data from any kind of security attacks and breaches. Anybody handle with government data must comply with FISMA act and deploy, maintain and monitor high-level security measures. For an instance any FISP comply applications must aware of annual audit, risk management measures, applications used for report handling, extraction and sharing of information must provide strong security methods. Such as auditing and accounting, certification, accreditation, and security or risk assessment, contingency planning, access control, identification management, configuration and change management procedures and guidelines must be defined and followed all the time.

Security Compliance ISO 27001

International standard organization 27001 defines world-class standard security standards to secure information, data, assets, users and workplace from cyber threats. For an instance to protect SPI (Sensitive Private Information) IP, PII, finance information, customer information, and any organization must enforce information security policy and procedures to reduce potential cyber risks of data theft, breaches and hijack. Applications used to handle or process these SPI information must comply with ISO 27001.

Security Compliance PCI-DSS

Payment card information data security standards are developed by credit cards provider consortium applicable to worldwide credit cards and online business transactions. Each credit card or debit card data, transactions and PII must be secured end-to-end. For an instance applications used for credit card transactions must adopt PCI defined standards to comply during digital commercial transactions.

Security Compliance GLBA

Gramm-Leach-Bliley Act (GLBA) defines regulations to protect financial data across financial institutions along with non-public personal information (pure financial business information). Concisely defined that security management and maintenance process must exists to protect against data access, identity management and controls, disclosure, data manipulation or interference of customer sensitive records or information. For an instance application designed or used must comply with authentication records, logs, events, data flows and records of any incidents are required to be documented and treated as historical data for review.

Security Compliance GDPR

EU commission comply with general data protection regulation act across all European nations that includes Britain. Canada can also share global personal data with EU, however GDPR do not allow sharing EU data with US. US still adopts and expands privacy act of 1974 for cyber community. APAC regions also have individual privacy acts to be considered, Australia. For an instance while developing applications and their features must be consider these laws during application and must fully comply with global jurisdictions. An application designed for US must not applicable to use in EU for data sharing, extraction or for another purpose unless licensed or comply with EU GDPR act.

Bip Khanal

Leave a Reply

Your email address will not be published. Required fields are marked *