An Edgescan partner called in the vulnerability-management solution to provide another level of security for a coding project underway within a critical area of a correctional system.
About the Client
The governing board for a nation’s youth justice system was engaged in a large-scale programming project to develop an online platform for managing the documents and other casework associated with individuals enrolled in the system. Considering the nature of the information—criminal records, psychological evaluations, and other personal data for minors and individuals under 21 years of age—security was paramount.
So the board’s leadership approached an Edgescan partner, Securestorm (now known as Falanx Cyber) to safely manage the development process. Securestorm provided the initial layers of testing, but when a section of code reached a level of maturity, it was moved to a cloud-based user-training environment that was web-facing. The team at Securestorm identified Edgescan’s vulnerability management solution as the ideal partner to handle risk management, information assurance, and operational security for this stage of the process.
About Edgescan
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.
Onboarding
The justice system’s web-facing platform was configured with a representative set of accounts that were made accessible to Edgescan to test new code blocks from a variety of angles through multiple theoretical end users. The solution then went to work scanning the web-facing applications on a schedule matched to the internal development team’s sprint cycles, and the output reports were shared with the team for remediation as the development process continued.
Three Levels of Cooperative Security
Edgescan formed part of a three-level security testing and assurance model managed by Securestorm throughout the development process. As the code was written and committed within the Jenkins open-source toolset, Securestorm tested the additions against OWASP standards using a plugin. This allowed the development team to fix issues while still working on the code.
When the code reached a level of maturity after clearing the initial security tests, it was moved to a cloud environment for user training and testing purposes. Edgescan entered the equation here, when each piece of the client’s platform became web-facing, to provide a second level of security testing. The rolling scans and penetration testing that define the Edgescan solution continually produced specific guidance around potentially problematic sections of code so that developers could remediate them as the development process unfolded, without disrupting or delaying each sprint.
When the code reached a final level of maturity, it was moved to the production environment and made subject to a targeted government penetration test.
Outcome
Edgescan entered a partnership to help the youth justice system governing board’s internal development team ensure the code they produced could be safely transitioned into a web-facing environment. Within Securestorm’s management of the overall security protocol, the Edgescan solution played a decisive role in providing timely and targeted assessments that allowed the development team to address issues during sprints. The continual scans and testing allowed the internal team to make these security adjustments without delaying the larger process or product rollouts, and without the need for a major penetration test at the end of the development lifecycle.
The developers were particularly impressed with the specificity of Edgescan’s reports around the impacted code, which enabled them to review the flagged security gaps and address the issues within the process rather than months later. The governing board’s leadership was pleased that security issues and potential risks were addressed as part of the development lifecycle, and held high confidence that Edgescan’s security-testing model had a significant positive impact on the developed application code. The Edgescan solution helped the governing board create a platform that allowed new coordination and knowledge-sharing within their workforce for the benefit of young people and the rehabilitation process, safeguarding underage citizens’ highly sensitive information in a web-facing environment.