VioPoint, an information security consulting firm, was retained to help a leading Michigan-based investment management firm incorporate security into the development and testing of its new website and web applications. For over 25 years this investment firm, managing over $12 billion in assets, has been servicing a diverse set of clients including corporations, public and private pension fund sponsors, universities, insurance companies, and individual investors invested in separate accounts, retirement plans, and mutual funds. Known for their strong client relationships and superior levels of service, this investment firm offers a stable, experienced investment team and a disciplined investment philosophy.
As with many investment firms, the web site serves as a central access point to assist clients with accessing their accounts and managing financial transactions. Protecting confidential client information is a critical concern and necessary to preserve trust as well as the investment firm’s reputation. For this reason, VioPoint delivered security guidance services and testing that would integrate security into the Systems Development Lifecycle (SDLC) of the redesign. The purpose of the project was to ensure the website and its functions were secured to protect the confidentiality, integrity and availability of customer data. Specifically, VioPoint and the investment management firm would ensure that the development third party would adhere to secure SDLC development principles.
What were some of the drivers that lead to this project?
“The goal of this project was to create a polished website,” said J. Wolfgang Goerlich, Information Security Manager of the Michigan-based investment firm. “As the public face of our firm and our brand, our firm’s website is often the first impression prospective clients have. Furthermore, our business is based on strengthening ongoing relationships. The website is the platform on which we maintain and build our connection with existing clients. Now as the website has gained in importance, it has also grown as a target. Hacktivists have been taking aim at vulnerable computer systems all over, particularly in the financial services industry. It was paramount that we not only build a beautifully functional website, but also a hardened website what would deflect attackers,” commented Goerlich.
The SDLC process is a series of steps or phases that provide a model for the development and lifecycle management of an application or piece of software. Its purpose is to provide Information Technology (IT) project managers with the process and tools to help ensure successful implementation of systems or applications that satisfy their strategic and business objectives. This project contained five major phases and each phase was designed to integrate security into each step of the SDLC.
- Requirements Phase: This phase provided a list of security requirements to be integrated into the design of the website.
- Design Phase: The design phase consisted of two deliverables; a threat model and holistic security architecture review with the goal to evaluate security architecture and ensure the confidentiality and availability of the information assets.
- Development Phase: The development phase provided the developers with secure coding guidance and code reviews. The goal was to ensure secure coding practices were implemented to minimize popular attack vectors such as SQL injection and Cross Site Scripting attacks.
- Testing: The testing phase consisted of several activities including security test cases for the developer / testers to perform, a website vulnerability and penetration test using manual and automated techniques, and a “Clean-up Report” to identify all the areas to remove test data, ids, or applications installed as part of the penetration test.
- Deployment (Final Validation): This phase included a validation penetration test to determine if items identified during the testing phase were remediated. This also helps to verify that no new weaknesses were introduced since the testing phase was completed.
“The phases early on had the largest impact,” said Goerlich, “By getting buy-in from the business on securing the website from the earliest stages of the project, we were able to keep the developers focused. The design phase pointed out several areas that, had they been caught later on in the project would have been very costly to fix. Together, the requirements and design phases avoided most of the security vulnerabilities. Those vulnerabilities that were left, we identified in the testing phase. We integrated the testing phases with UAT and that meant the developers were fixing security issues alongside functional issues.”
The investment management firm chose to have VioPoint included in the SDLC process to ensure their new website design was secure. With security practices built into each phase of development of the application, the investment firm could be assured that their website would perform the desired financial transactions as well as keep customer data secure. “Strategically for the firm,” commented Goerlich, “we now have a first class website backed with first class security. We have the ability to make a good impression with the assurance that the impression will not easily be undermined. Strategically for my team, this project illustrates my philosophy of information security: bake security controls into new systems at every stage of the project. From the business case to the final deliverable, each phase provides an opportunity to review and strengthen the security posture.”
“This was more than a point-and-click assessment, as it was a top-down analysis of both code and infrastructure,” Goerlich explained. “VioPoint’s team engaged my team and my third-party developers at every stage of the project and the deliverables were on time, to spec, and well-polished.”