Managing The Risk Register Post A Boundary Review

Managing The Risk Register Post A Boundary Review

THE SITUATION

For this mid-sized government department, approximately 100 browser-based applications run process essential data for the organization. Half of these apps are on the Internet as primary websites, customer portals, supplier portals and APIs for mobile apps. The other half are internal web apps for process bookings, payments, HR, and finance.

After a full boundary review and audit, security flaws were detected in 80% of the applications. Many of the apps were old making skilled development resource difficult to find, some apps required fixes to be subcontracted. 10 of the apps were inherited through acquisition without development history. The Departmental Security Officer was faced with 80 applications with known exploitable flaws that could not be fixed tomorrow and were vulnerable to hackers today. He contacted RedShield off the Government Supplier Panel for a proposal.

 

OUR SOLUTION

RedShield reviewed all reports and provided 80 independent shielding plans, addressing all known issues. A decision was made to use RedShield Cloud for the Internet-facing apps. With relevant technical details provided, agreement on business process integration, and individual application performance testing complete, the DNS records for the relevant sites were updated to point to RedShield. DDoS protection was in place and RedShield analysts had full visibility of the traffic and any attacks.

Traffic was monitored in transparent mode against the baseline security profile for 10 working days. After some modest tuning, RedShield showed no false positives detected against a sizable workload. The profile submitted the Change Request to transition into blocking to the Department’s Change Approval Board. Upon approval and the grant of a change window, the changes were made. 80% of the detected problems were no longer exploitable.

Focus then moved toward advanced shielding. Following customer change management Level 1 and Level 2, custom shields were deployed, tested and moved into blocking and another 10% of the issues were addressed. Finally, the Level 3 business logic transformation shields were brought inline and the final 10% of issues were mitigated.

“The results RedShield has achieved for us are amazing, I am used to Pen Test findings kicking off a number of projects and then managing and reporting on risks from months. Often technical and business issues get in the way and a number of the risks are only resolved when we replace applications. With RedShield the took all the reports, provided shielding plans and in one month’s time I had a clean environment. Amazing.“

 

THE RESULT

A security audit retest was conducted and a clean bill of health against all 80 applications was issued. Without touching a single line of code or updating any back-end apps, hundreds of exploitable issues across 45 external facing applications were mitigated. A process that normally takes months to years with only partial success had been replaced by a service that took 1 month to address all issues.

A decision was made to shield the internal apps as well. Using a RedShield private node, a similar deployment project ensued and the entire application fleet is now scanned, shielded, monitored by RedShield experts. The DSO receives monthly management reports that highlight incidents and business impact averted that continually justify his decision to choose RedShield.

May 21, 2020