Success Stories Winmill Provides Cyber Security Services to Hybrid Cloud Management Developer
The Project
Our client has created one of the most popular automation platforms to manage hybrid cloud and application infrastructures. When they needed to integrate Invicti Netsparker into a mission-critical software development life cycle (SDLC), they called Winmill. With our deep roots in application development and our extensive experience with dynamic scanning tools and methodologies, our team was a perfect fit. We helped them to create initial scan profiles, build front-facing and API endpoint URL rewrite rules, execute and monitor scans, review scan results, and recommend remediation next steps. The project was a huge success.
Challenges
- Design a strategy for segmentation of the application platform to allow greater visibility and control over each individual segment, reduce scan times, and enable faster analysis and reporting.
- Shorten feedback loops.
- Integrate vulnerability assessments into the merge-approval process and, based on vulnerabilities found, determine if a security review/approval is required for the code base changes.
- Enable developers to run scans without engaging the Security Team.
- Integrate scan results with Pivotal Tracker.
Solution
We began the engagement by reviewing the functionality of front-facing pages and publicly available API endpoint definitions. From there, we created Netsparker scan profiles. These profiles were designed to provide optimized coverage for the application assets under test. Optimization techniques included creating regular expression rules and establishing URL rewrite rules.
We then established regular communication with the client’s Security Team and IT managers during release cycles. We reviewed and triaged Netsparker scan results, ensured that only confirmed issues and actionable items were introduced into the SDLC, and recommended next steps. Our responsibilities included documenting actionable items using Pivotal Tracker (including Common Weakness Enumeration, affected paths, and Common Vulnerability Scoring System score and description), and updating monthly release notes that were shared with platform end users.
We also implemented Software Composition Analysis (SCA) asset scanning using the WhiteSource open-source platform. We evaluated the results and assessed risk levels, remediated as necessary, and included any newly vulnerable libraries in the regular reporting and SDLC communication. We ultimately created an automation script that invoked WhiteSource scans and downloaded vulnerable library information for immediate remediation by the security team.
The Results
We incorporated Netsparker into an automated, secure SDLC based on industry standards and best practices. Our client is now able to support secure DevOps with automated security scanning and informed assessment of scan results. They now have a structured and effective remediation workflow where actionable security flaws are reviewed, assessed, and mitigated.
“Winmill’s team played a critical role in the success of our ongoing secure release cycles. We were able to readily triage scan results, suppress false positives and assign actionable vulnerabilities to our technical team for further review using a highly optimized process. This enabled us to release critical updates on time to meet our customer’s needs. This has been a game changer!”
