Application security framework (ASF)

Techtez security framework defines the security objective, process, and tools in every phase of SDLC. This framework is expected to identify and address the security aspects early in the development cycle and ensure a robust and secure application is developed which is free of issues and vulnerabilities.

Secure SDLC Objective and process

Process

SDLC Phase Process Tools
Requirements Elicitation TEHCTEZ developed a comprehensive questioner to collect the details of security requirements. Collected details like objective, regulatory compliance, web security expectations, IAM, data encryption in transit & rest, encryption standards, enterprise integration, API integration (access & data integrity), software licenses and versions, integrating systems, etc. Spread sheet based questioner
Design Threat modeling tools are used during the design to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. Microsoft Threat modeling
Development Use SAST tools to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities SonarLint, FindSecBugs, SpotBugs etc
Testing Dynamic Application Security (DAST) is a black-box security testing methodology in which an application is tested from the outside.
The objective of this testing is to identify critical web application vulnerabilities as defined in OWASP (https://owasp.org/).		 Nessus, OpenVAS, ZAP etc.

Case study 1: TECHTEZ IOT Cloud Platform

This IoT platform designed and implemented using the secure SDLC process as detailed in the previous sections.

  • Microsoft thread modeling tool is used at the design phase to define the entities, interface, data flow, etc (Slide 5 has the model and tool output)
  • Data integrity is ensured by data encryption during transit and at rest
  • External interfaces and API access are using secure links.
  • Digital certificates and secure tokens are used to authenticate and authorize the participating systems
  • Secure gateway servers act as an entry point that filters the inbound traffic and allows the legitimate data to flow into the application.
  • Firewalls, port restrictions are to secure the application / DB from unauthorized access.
  • IAM for platform UI users, with roles and access privileges.

Case study 2: Telecom NUMBERING SOLUTION

TECHTEZ developed / Maintain a telecom application for the US Telecom solution major, this application is used by more than 10 Telcos around the globe.

  • Application designed to follow stringent Telcom regulations, where application security is given the highest importance.
  • Application complex architecture with high message volume (approx.3.5 million msg/day), it’s designed in a way that its security framework doesn’t impact the performance.
  • SAST (SonarLint) and DAST (Nessus) testing and fixing
  • External integration to OSS & NE using secure links (digital certificates, data encryption, authentication tokens, etc)
  • Identify access management for all GUI users.