Case Study of Cyber Security in Tech Company

Cyber Security in Tech Company

A well-known tech company came to us with a problem relating to compliance. While the company had already got its product audited, they found that the government certification body had rejected their report and application after having found the product non-compliant. The application was found to be not up to the mark, and therefore, rejected.

Solution

The product was an IoT device, connected to a mobile application and a server. The product itself was absolutely fine. But, the only problem was it did not have the proper compliance.

A product or service can only be deemed compliant if it follows certain guidelines. There are specific processes that need to be carried out within the product development lifecycle, which was missing in this case. It seemed that the development of the application had not been carried out in a secure fashion. And therein lay the problem for our client.

Our role, therefore, was to make sure that every compliance guideline was followed to a T, making sure that the firm could officially claim the same from the auditing body of the government.

Our team of specialists that worked on this challenge included an expert from the IoT domain, an operations expert (someone with full-fledged server operational knowledge as well as of database), a developer, a security professional, and a compliance specialist to ensure no complications arose during the process and after, as well as to give the team a proper direction to work in.

The application we would develop would have to be secure enough to pass every test from a security compliance point of view. We only had a limited amount of time to finish this project; otherwise, the government body would blacklist the company. In addition, they would have to pay a hefty fee for every audit application they would submit. Both, the client as well as we, wanted to avoid such a situation.

In order to achieve seamless project management, we planned every step, worked according to project reports, and allotted a time frame to every project phase. We started by looking into the previous audit report conducted, which told us exactly what was in place and what was missing.

As happens with most technologies, without proper updates and upgrades, they run the risk of turning obsolete after a few years. We did not want the same to happen with our client and save them from again finding developers for the same product, years later, wasting their resources as well as money.

Instead, we decided to develop the product again at this stage only, but this time under the compliance guidelines, integrating SSDLC - a series of cyber security controls integrated into the development process to guarantee that the product is assessed for vulnerabilities at various stages.

Next, we ran a security testing application which could identify any vulnerabilities in the system. We performed Static Code Analysis (or, Source Code Analysis), employing methods like Data Flow Analysis and Taint Analysis to draw attention to potential vulnerabilities in "static" (non-running) source code.

We also ran SAST (Static Application Security Testing) or "white box testing" to identify security flaws in the app's source code (during the app's early development), and DAST (Dynamic Application Security Testing) or “black box testing” to find security vulnerabilities in the running application (once the app is live).

Our team tested the web application, mobile application, and IoT to yet again identify any vulnerabilities that might have been left unchecked, both manually and through automation, using the best tools available.

Finally, we had a product which was good to go. This was further proven by the fact that the product cleared every guideline, when it was tested again 3 months later, to finally gain full compliance from the government.

Outcome

Product compliance refers to evidence showing that a product complies with all pertinent directives, regulations, as well as harmonized standards. From gaining consumer trust to avoiding unnecessary legal issues to enhancing company value and reputation in the market, our client understood how important it was to make sure their product was 100% compliant, and we were more than happy to help them achieve this goal.