Automated cybersecurity ecosystem

Learn how we developed an automated cybersecurity ecosystem to detect and eliminate software security vulnerabilities for a banking institution that later evolved into a universal cybersecurity solution.

  • industry

    FinTech

  • Country

    USA

  • team size

    6 IT experts

  • Implementation

    3 months

About the client

Our client is a traditional US-based bank that was expanding their online presence to attract more customers. They wanted to implement new functionality and expand the range of financial services available in their customer service software. 

Business context

The company hired us to develop new web and mobile banking applications because the old versions were technically unstable. They couldn’t withstand high loads caused by the increasing number of consumer financial transactions. 

We assessed the client’s existing applications and found that they were vulnerable to external attacks, putting customers’ personal and financial information at risk. After communicating the issue to the client, they asked us to ensure a secure software development process to:

  • reduce the number of security vulnerabilities in the new software 
  • prevent data breaches and cyber attacks
  • reduce post-release expenses on addressing security issues

Solution overview

  • We established a secure software development lifecycle (S-SDLC). Our security approach evolved into a cybersecurity ecosystem for automated detection and management of software vulnerabilities. 

    The ecosystem is integrated into the client’s CI/CD pipeline, allowing for automated security control checks. In the event that a vulnerability is identified, the system automatically creates a Jira ticket for further action.

  • Implementing security controls

    Security controls integrated into our S-SDLC allowed us to detect vulnerabilities early and release secure software at the production stage.

    Security testing included: 

    • Static application security testing (SAST)
    • Dynamic application security testing (DAST) 
    • Infrastructure as code (IaC) security scanning

    Vulnerability scanning included:

    • Detecting unintentional commits of secrets (keys, passwords, tokens, SSNs)
    • Dependency scanning
    • Docker image scanning 

    Security audits included:

    • Cloud security audits 
    • Kubernetes (K8s) security audits

     

  • Security ecosystem architecture

    Our ecosystem architecture included five main elements:

    1. Implementation of the CI/CD pipeline

    Implementing CI/CD allows our client to optimize costs and upgrade their product’s security layer by incorporating security controls for code merging. This decreases the risk of deploying code with security vulnerabilities.

    2. Vulnerability orchestration module on AWS Lambda

    We built a security module and deployed it on AWS Lambda to automate the creation of Jira tickets with all necessary information about vulnerabilities, security vulnerabilities analysis and management, as well as notifications.

    3. Storage and processing on AWS

    After executing a specific job like SAST, the artifacts (output results) are saved in an AWS S3 bucket. This allows us to have a history of files, upload as many files as we need, and separate projects by folders. The results of such scanning are processed by AWS Lambda, which is triggered by the creation event.

    4. Jira tickets creation 

    The created ecosystem supports functionality for creating and managing tickets with a description and location of each vulnerability, its threat level, and tags with a project name and scanner tool.

    5. Notifications via Slack 

    Users get Slack notifications about newly created vulnerabilities and their severity. 

Value delivered

Together with our client, we achieved the following results:

  • Customization. Our solution is easily customizable for any project and industry and can be integrated into diverse business procedures.

  • Cost-efficiency. Similar out-of-the-box solutions may cost around $100 per developer per month, while our solution doesn’t require any monthly or annual fees. Additionally, it features automated vulnerability detection, an optimized S-SDLC, and expert input for implementing the proper system protection. If a client decides to opt for ready-made software, they would have to pay extra for these services.

  • Scalability. We chose industry-proven technologies and tools that helped us develop a flexible security ecosystem that can scale in the future and won’t require much additional reconfiguration.

ELIMINATE SECURITY VULNERABILITIES IN YOUR PRODUCT

Our experts will roadmap and implement best practices and advanced technologies for top-grade software security

Request a consultation

More projects