Case Studies of Recent Engagements

Software security architectural risk analysis - Professional Association

Problem: A small not-for-profit professional organization was looking to deploy a credit card payment system for its members to use. Although they'd outsourced the development of the system, they were concerned about the system's security and weren't satisfied with merely taking the conventional approach of doing a penetration test to "ensure" that it's adequately safe.

Solution: KRvW Associates worked with the outsourced software developer to write and review the software's design architecture. The review consisted of examining the sensitive information that passes through the application, looking for weak points that could be exploited by an attacker to compromise customer information. Operating processes and procedures were also examined to ensure that the application's deployment environment is adequately protected and monitored for attacks that are directly relevant to this application. The result was a documented system architecture that can be clearly understood by the client organization and is highly likely to provide the necessary level of protection of the client organization's membership.


Software security architectural risk analysis - International Hotel Chain

Problem: A major international hotel chain was implementing software to handle its distributed credit card transactions securely. The software was designed by a security team and intended to bring the hotel up to date in complying with payment card industry security standards, PCI DSS 1.1.

Solution: KRvW Associates was engaged to conduct an independent architectural risk analysis of the software under development. We studied the design in detail and interviewed the implementation team to validate how the software worked. From this understanding of the system, we conducted three levels of architectural analysis: attack resistance analysis, ambiguity analysis, and weakness analysis. The resulting deliverable was a detailed risk analysis that prioritized, based on business risk, and described several potential weaknesses and their corresponding attack profiles. Each finding was then presented to the design team and mitigations were put in place to minimize the likelihood of these attacks being successful. The entire project took approximately one calendar month and the development team was able to maintain their rigid delivery schedule while still taking reasonable precautions to ensure their software was secure enough to meet the hotel's business needs.

Emerging Technologies Evaluation & Decision Support - US Department of Defense

Problem:  A research agency of the US Department of Defense was sponsoring the development of "bleeding edge" information security tools for possible
use within the US military community.  As these products were submitted from different vendors, the agency desired that an independent third party evaluation be conducted of these products to develop an appropriate testing framework and provide an objective assessment of their reliability, quality, utility, and viability as potential future information security products for the US military.

Solution:  Working with agency and vendor personnel, KRvW Associates developed a robust test and evaluation framework and process that could be applied to both hardware and software products coming under review.  This framework governed a series of independent evaluations of products ranging in quality from initial "proof of concept" to those submitted for final agency review for possible procurment and deployment. The result was a two-year series of product evaluations using a demonstratable and repeatable evaluation framework that the agency desired to apply toward future assessments of information security technologies.

Tailored Software Security Training - Financial Services Firm

Problem: After several recent audit findings in its software security, a major financial services firm wanted to get some training in Secure Coding practices for its developers.

Solution: To get the most out of the client's training dollars KRvW Associates tailored its in-house 1-day Secure Coding tutorial to include substantive discussions on each of the audit findings, so that the developers could put the findings into the context of the presented training material. The audience included representatives from the IT Security organization in addition to several of the client's Software Development personnel, and the training content was designed to help both organizations work together in developing more secure software applications for the organization.


Incident Response Exercise - International Airline

Problem: A major International airline had just finished planning and documenting its Incident Response policies and practices, and was ready to put them to the test.

Solution: The airline engaged its Incident Response outsource vendor to help them with designing and executing a series of management and technical exercises so that they could evaluate the efficacy of their IR planning. The IR vendor engaged KRvW Associates as an IR subject matter expert with experience in planning and executing realistic IR exercises in major corporations. After consultations with the client and the IR vendor, multiple incident scenarios were developed in increasing levels of technical sophistication so that the client could realistically test both its processes and procedures as well as the technical knowledge of its IR operators in a friendly, non-emergency, and non-threatening environment. The exercises were executed successfully and helped pinpoint several trouble spots that needed to be addressed to ensure efficient, businesslike IR operations during actual emergency situations.


Network Security Architecture Review - Financial Services Firm

Problem: A major financial services firm was considering a renovation of its production e-commerce data processing network environment. Several DMZ network designs were proposed by the design team and the internal security team. The company then sought an independent external review of the proposed designs for their security as well as operational viability.

Solution: KRvW Associates was engaged to review the proposed designs and to recommend any additional revisions to further enhance their viability. The designs were carefully analyzed and compared against the firm's documented security requirements for the new DMZ network. Further, the designs were evaluated against the best business practices observed by KRvW Associates at similar data processing facilities, as well as their likelihood of withstanding known attack profiles. Each design was then rated in terms of its strengths and weaknesses, as well as prioritized for the firm. An event logging and monitoring capability as well as architecture was further recommended to augment the recommended design, so that the firm would be in a better posture to respond to security breaches, should they occur in the future.