we45s Web Application Security Solutions

Web Application Vulnerability Assessment and Penetration Testing

Secure Software Development Lifecycle Implementation and Consulting

Application Security - Code Review and Walkthroughs

Web - Product Security Consulting and Design

Security Code Review - Case Study

Fortune 100 Bank and Card Payment Brand engaged with we45

They were pursuing PCI Compliance for operations in the APAC region

Key Challenges - Application Security Requirements - Compliance with PCI-DSS Requirement 6

Key Objectives

Increase Developer Awareness with Web Application Security Training

Perform Comprehensive Security Code Reviews for Custom Applications developed and deployed on various platforms

Create Detailed Security Code Review Reports and Design Remediation Strategies and Action Plans

The we45 Approach

Training - we45 Certified Web App Security Professional

we45s Acclaimed Certified Web Application Security Professional Program

Two-Day Hands-on, Intensive Web Security Training Program for Developers, Architects, Project Managers and Security Managers

Replete with Case Studies, Hands-on Exercise, Vulnerable Web Application Exercises and other material

Assessment Exam at the end of the Training - with Certification

Application Security Risk Assessment & Threat Modeling

we45s Security Experts performed Application Security Risk Assessment for the clients in-scope applications.

Risk Assessments are critical in identifying security requirements and providing for prioritization of security implementation

we45s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development

Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps

Application Security Risk Assessment & Threat Modeling - 2

Application Security Threat Modeling - Critical in identifying potential attack scenarios

Identified Trust Boundaries for the in-scope Web Apps

Extremely useful for Code Reviews, Security Testing and Application Security Documentation

we45s Security Experts perform Threat Modeling based on Microsofts renowned STRIDE Methodology

we45 Security Code Review

Hybrid Methodology - Automated and Manual Code Review for 30 in-scope web applications

we45s Security Experts developed special scripts and tools to identify Security Flaws

Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines

Security Flaws from a PCI perspective were also evaluated

Review & Presentation

Findings presented to Developers, Project Managers and CTO

Findings were explained in detail by we45s Security Experts

Findings were prioritized and agreements on remediation were reached

Analysis & Reporting

we45 prepared a detailed Security Risk Assessment and Code Review Report

Report was ranked by severity of findings.

Findings were referenced with Industry metrics like CWE, CVE and so on.

Examples were provided as code-snippets with line number information

Multiple Recommendations and Remediation Strategies were provided

Executive Summary and Action Plan prepared for Management Action

Results & View into the Future

Results:

Client achieved PCI Compliance and Certification

we45 Approach of Risk Assessment and Code Review - Lauded by the PCI-QSA

Developer Security Training - A Model for other Development teams in the company

The Future:

we45 is the trusted Application Security Partner for this client

Extension of we45s services to PCI Continuing Compliance Consulting

we45s Web Application Security Solutions

Web Application Vulnerability Assessment and Penetration Testing

Secure Software Development Lifecycle Implementation and Consulting

Application Security - Code Review and Walkthroughs

Web - Product Security Consulting and Design