Abstract image of a woman sitting on books and studying on a laptop

Application Security: Safeguarding Data, Protecting Reputations

Cognizant, profile picture
Cognizant

The document discusses the critical importance of application security in today's interconnected digital landscape, emphasizing the need for organizations to proactively address vulnerabilities through penetration testing. It outlines various security incidents and types of cyberattacks while debunking common misconceptions about security measures. Additionally, it provides insights into the penetration testing process, covering strategies for effective security assessments and the evolving costs associated with security threats.

Related topics:
Application Security Penetration-Testing Quality Assurance Security Testing
1 of 7
Download to read offline
1
2
3
4
5
6
7
Application Security: Safeguarding Data, Protecting Reputations Assessing IT systems and network vulnerabilities in today’s interconnected digital world is a daunting endeavor. By embracing penetration testing’s best practices and procedures, organizations can proactively and affordably address security loopholes before hackers undermine customer confidence, brand reputation and financial well-being. Executive Summary In today’s connected digital ecosystem, applica- tions are center stage, influencing all the ways in which we interact and communicate. These applications contain sensitive data and deliver business-critical information services, and as a result even the smallest security loophole is exploited by cybercriminals looking to wreak havoc. While numerous cybercrime incidents have occurred over the years that damaged customer confidence and brand reputation, solving inherent information security challenges remains a work in progress for many organizations. The hacking challenge is so steep, that born- digital companies Yahoo and Google recently partnered to create an encrypted e-mail system 1 that allegedly cannot be decrypted even by the companies themselves. Clearly, our lives are increasingly reliant on digital devices, many of which are prone to security hacks. As a result, there is a grave concern about security, reinforced by recent events: • In January 2016, a large Belgian bank was attacked by cybercriminals that cost the bank 70 million euros, although no customers were affected by the breach. This type of attack is called a whaling attack or spear-phishing. 2 • In August 2015, the U.S. Internal Revenue Service reported that about 300,000 taxpayers’ personal information was compromised when hackers cracked the agency’s multi-step authentication process and were able to make fraudulent claims for tax refunds using stolen identities. 3 • In November 2015, a Switzerland-based encrypted e-mail provider’s Internet connection was held for ransom by hackers in what could be described as a distributed denial of service (DDOS) attack. 4 cognizant 20-20 insights | june 2016 • Cognizant 20-20 Insights
cognizant 20-20 insights 2 • In October 2015, a UK phone and broadband provider’s website was hacked by cyber- criminals who may have pilfered confidential banking details and personal information. This type of attack could be described as a sequential attack or SQL injection. 5 • In February 2015, a large U.S. health insurer’s database was breached, and sensitive informa- tion that affected about 80 million customer records was stolen. This was described as a sophisticated advanced persistent threat (APT), where a malicious user gains access to internal networks primarily to steal data. 6 This white paper talks about the importance of penetration in the digital arena and the process involved in preventing it. It also talks about the types of penetration testing, testing strategy and the costs involved in cybersecurity. Debunking Security Myths, Working Proactively to Plug Vulnerabilities Information plays a crucial role in every aspect of today’s modern digital world. Companies have launched more efficient ways to swiftly and safely deliver information and application services to end users inside and outside their firewalls. Safe- guarding such high volumes of data from cyber- attacks is a cumbersome task for most organiza- tions. Let’s start by debunking some myths that surround the concept of security testing (see Figure 1 below). While most organizations implement firewalls, SSL encryption and secure policies, every now and then they still become victims of cyber- attacks. The aforementioned incidents are proof that cyberattacks are not specific to any industry and can cause business distruption or, worse, undermine brand confidence or unleash financial damage that could challenge the very existence of any company. Attacks involving the loss of customer data and/or theft of important company information begin with the realization that the enterprise has been penetrated, followed by concern over what the breach has actually damaged. By then, it is often too late for the company to protect itself and its customers. Incorporating security testing early in the software development lifecycle can help orga- nizations identify application and infrastruc- ture vulnerabilities before cybercriminals strike. Periodical penetration testing helps unravel the organization’s current security posture. Incorporating security testing early in the software development lifecycle can help organizations identify application and infrastructure vulnerabilities before cybercriminals strike. Myth 2 Myth 1 Myth 3 • Myth 1: We have firewalls in place, which can protect our digital assets from threats. Fact: Firewalls can protect the system at the network level to a certain extent, but an attack could permeate through the application layer which cannot be tackled by firewalls. • Myth 2: Our applica- tions are internal and thus are not exposed to the Internet. • Fact: Many orga- nizations prioritize protecting the corporate information jewels from external attacks, but insider attacks are, sadly, more prevalent. Insiders have authorized system access and are familiar with the network architecture and policies. • Myth 3: Secure sockets layer (SSL) technology protects a website from intruders. Fact: Implementing SSL is not enough to protect websites from hackers as these can be exploited by forcing the browser to use low-encryption algorithms and decrypt the traffic, which leads to a “man- in-the-middle attack.” Figure 1
Defining Penetration Testing In simple terms, penetration testing is an in-depth security assessment that identifies the security loopholes in a system, from applications through infrastructure, which hackers use to exploit the system. It is an attempt to examine and evaluate by safely exploiting the vulner- abilities that may exist in operating systems, services and applications due to improper con- figuration management, insecure coding, weak design elements and incorrect implementation of security policies and procedures. Once vulnerabilities have been successfully exploited on a particular system, the compro- mised system can be used to launch attacks on the interconnected infrastructure to achieve higher privileges and take down the remaining portions of the network and related systems. Moreover, preventive measures taken by organizations to safeguard assets against such occurrences are a hallmark of effective penetration testing. Penetration testing helps customers protect company assets from cyberattacks. It helps define the vulnerabilities as identified by Open Web Application Security Project (OWASP), SysAdmin, Audit, Network, and Security (SANS) and Open Source Security Testing Methodology Manual (OSSTM) standards. In addition, it allows business leaders to understand the impact of those vulner- abilities in the real world. Where Penetration Testing Fits Today’s technology-intensive world pivots around applications that are complex to build, and that must scale internally and externally to fit most business needs. Though Web applications are now the predominant means for delivering infor- mation services to customers and internal users, there are many layers between the users and the database that house critical data. Hackers who can compromise the security of Web applications would gain access not only to sensitive data but gain the keys to the enterprise information archi- tecture kingdom. To prevent this from occurring, penetration testing can be applied to: • Identify security breaches that could result in business loss. • Comply with industry standards and regula- tions by ensuring that applications comply with industry standards such as ISO 27001, PCI DSS, NIST, FISMA HIPAA and Sarbanes-Oxley. • Enable an organization to avoid penalties for noncompliance by demonstrating a commitment to security due diligence and compliance. The Penetration Testing Process Our security assessment methodology covers the following security assessment guidelines: • OWASP top 10 vulnerabilities. • OWASP Application Security Verification Standard (ASVS). • SANS top 25. • OSTMM. • Web Application Security Consortium (WASC) guidelines. These standards define the process of penetra- tion testing using the following steps: • Manual inspections and reviews. • Threat modeling: >> Breaking the application down into its com- ponents. >> Classifying the assets protected/contained by that application. >> Exploring vulnerabilities, threats and other issues. >> Creating mitigating strategies. • Source code review (static application security testing): >> Manual and automated scans for trojan hors- es, time bombs, backdoors, etc. >> Procedures for deployment that may expose vulnerabilities. • Penetration testing: >> Web application penetration testing (dynam- ic application security testing). >> Infrastructure penetration testing. Penetration testing helps customers protect company assets from cyberattacks. Hackers who can compromise the security of Web applications would gain access not only to sensitive data but gain the keys to the enterprise information architecture kingdom. cognizant 20-20 insights 3
cognizant 20-20 insights 4 Formulating an Effective Strategy A comprehensive security testing approach can help uncover systems and network vulnerabilities. • Understand the security architecture and test the architecture rather than focusing on vul- nerabilities as listed in OWASP or SANS. • Verify whether the system has followed essential security principles such as: >> Fail securely. >> Defense in depth. >> Separation of privilege. >> Least privilege. • In the case of a multitier architecture, the approach should cover testing all tiers and all horizontal layers such as network, OS, server container frameworks and the server container that houses the application. Required sample tests include: >> Firewalking: Sending crafted network pack- ets to predict the firewall rules. >> Web application penetration tests. >> Web service tests. >> Database penetration tests. >> Network penetration tests. >> OS hardening tests. • In an ideal scenario, it is a good practice to test all the tiers and components involved, but in reality there is hardly enough time and budget to perform all of these tests. In such situations, risk-based testing can be conducted to: >> Analyze the level of changes made to each system. >> Analyze the risks from previous security scans on the same components. >> Assess a threat advisory issued on specific components. • A risk-based comprehensive approach provides the desired level of security validation in a cost- effective way. The Cost of Security The cost of security incidents depends on the type of incidents experienced and the number of incidents that have occurred. Generally, security incidents increase year on year. According to security software vendor Kaspersky, 7 the most expensive types of incidents involve: 8 • Worm, spyware and other malicious programs. • Vulnerabilities in existing software. • Accidental or otherwise sharing of data by staff. • Loss or theft of staff mobile devices. • Network intrusion or hacking. The cost of a security breach will always be prohib- itive when compared with the cost of protection. Moreover, a constantly evolving threat landscape adversely impacts the cost of security to be borne today and in the immediate future. Kaspersky also reported, “Roughly 90% of the companies with which we work or have spoken with confirm that they consistently confront security incidents that vary from malware attacks, to DDOS, to targeted intrusion attacks.” Given the variety, it is worthwhile to understand how common security attacks differ. • Phishing: This type of attack entails tricking or attracting a user to reveal sensitive information for malicious purposes in electronic communi- cation. The simplest example in this category is the “Nigerian e-mail” scams (where the sender asks for access to banking information). • Malware: Malicious software attacks occur with the insertion of small bits of code, or self-standing installable code, that will run according to a predetermined trigger or event, causing anywhere from a mild annoyance to more sophisticated data/processing breaches. One of the most famous of these is the “Dyre or Dridex Trojan” malware attacks that essentially is a redirection attack (sending the user to a spurious site rather than a real one, for example, during a banking operation) that utilizes a Microsoft Office attachment containing a poisoned macro. • DDOS: This is one of the most common to hit major sites. The modus operandi here is to simply overwhelm a site by hitting external facing IP addresses with a flood of service requests, to the point where the website infra- structure is unable to keep up, resulting in a site outage. Banks and financial institutions face multiple such attacks on a weekly basis. • Premeditated hacking: These advanced forms of persistent threats include a com- bination of attempts to maliciously target a website or application and steal/deface intel-
cognizant 20-20 insights 5 lectual property. The attacker uses a combina- tion of measures including phishing, malware and DDOS attacks. Such attacks are usually successful if the attacker has insight into network traffic flows, has access to entry and exit points via IP addresses and can exploit inherent vulnerabilities to gain access to confi- dential data that is not encrypted. • Network “worms”: Network travelling worms are essentially virus attachments to traveling packets of data, which are then either spread by launching remote copies of the same code or are used to penetrate computer memory. Beyond these most common types of attacks, a wide variety of application-based attacks are used which are equally effective, which include attacking mechanisms such as SQL injection,9 password and hash cracking10 and cross–site scripting.11 Figure 2 depicts a sample of the items that a vulnerability assessment should cover when looking at applications. Keeping Security Testing Effective and Affordable Much of the cost for fighting cybercrime should be contained within the overall quality assurance budget. Genuine penetration testing, however, depends on the complex scenarios identified by the organization with respect to its infrastruc- ture and the amount of human or manual effort required to deliver and complete a successful test strategy. One such mode is IP-based testing. For example, more complex models of penetra- tion testing require a detailed understanding of the workload or traffic payload flowing through specific IP addresses that pose a security threat. Once the traffic workload has been calculated, based on services that are connected to the external network, a price per testable service can be determined. Penetration testing can then be tailor-made to the requirements of an enterprise and its budget. SAST and DAST Decoded Over and above penetration testing, code and application level security testing – specifically static access security testing (or SAST, which is code-level security scanning) and dynamic access security testing (DAST) – are usually in budgets for application development and deployment projects. As many testing efforts in SAST and DAST are tool-based, tool license pricing forms a large part of the expenditure. Factors often looked at in pricing include but are not limited to: lines of code to be scanned or number of scans to be performed; types of scenarios to be scanned; and checking and rejection of “false positives” data and support available. Assessment of Potential Threats Figure 2 Internal, External, Humanly Motivated, Ethical Hacks, Serious Hacks, APT, Accidental Arch., Design, Code, Application Front End, Database, Middle Web Services & Infrastructure, Social Media, Cloud Hosting and Mobile Front Tier, Middle Tier, Back Tier Insufficient Authentication Parameter Manipulation Lack of Encryption in Sensitive Data, SQL Injections Invalidated Inputs Flaws in Authenticating and Authorizing Identities DTD Entity Reference Attack Database External XML Entity Attack • Web Applications • Mobile Apps • Cloud-Hosted Solutions • Social Media Integration • Network & Infrastructure • Internet of Things • End Point Security Integration Server Web/App Server Insufficient Transport Layer Security Security Misconfiguration Handling Exceptions Insufficient Authorization Session Hijacking & Cookie Replay Attacks, Cross Site Scripting Black Box (Manual & Automated) White Box (Automated & Manual) • Threat Modeling • Code Review • Application Scan • Database Scan • Infra Scan Firewall Technologies Database Server Lack of Encrypting or Hashing Sensitive Data Web Applications REST API MQTT coAP Custom
cognizant 20-20 insights 6 Looking Forward: Security Questions Every Organization Must Answer • Did your organization undergo a recent merger or acquisition? Chances are some of the appli- cations acquired through mergers could have vulnerabilities that may not be protected by the existing perimeter defense’s rules. • Are your business-critical applications risk- rated or do they have enough protection against known threats? Have you evaluated them against your organization’s risk appetite? Evaluate your application’s security posture through a vulnerability assessment exercise and ensure your business-critical applications stay within your organization’s risk appetite. • Is your development team’s choice of technology, framework and software develop­ ment guided by documented and approved security standards? Establish a standards- based development methodology and confirm security assurance through vulner- ability assessment. • Does your organization use custom applica- tions often developed under tight timelines? Chances are your development team might have been forced to cut corners and develop vulnerable applications. Identify such applica- tions and conduct a thorough vulnerability assessment of these applications to avoid mis- adventures in the future. • Even if the application has not undergone any change, has your organization thought about how vulernable applications are to new or emerging threats/vectors? Perform periodic security assessment to assess the security posture and the frequency of assessment as defined by a risk score based on the criticality of the application. Footnotes 1 Collins. Katie, “Yahoo and Google to collaborate on encrypted email,” August 8, 2014, www.wired.co.uk. 2 Zorz, Zeljka, “Belgian bank Crelan loses €70 million to BEC scammers, ” January 26, 2016, www.helpnet- security.com. 3 Ashford, Warwick, “More than 300,000 US taxpayers affected by data breach,” August 18, 2015, www.computerweekly.com. 4 Thielman, Sam, “ProtonMail: encrypted email provider held ransom by hackers,” November 5, 2015, www. theguardian.com. 5 BBC UK, “TalkTalk cyber-attack: Website hit by ‘significant’ breach” (www.bbc.co.uk, October 23, 2015) 6 Riley, Charles, “ Insurance giant Anthem hit by massive data breach” (www.cnn.com, February 6, 2015) 7 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” October 31, 2013, www.media. kaspersky.com. 8 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” page 15, October 31, 2013, www.media.kaspersky.com. 9 SQL injection is defined as the insertion of malicious SQL statements for execution primarily to exploit database or data storage content. 10 Hash cracking is defined as a tool or methodology used to recover encrypted or “hashed” passwords/ other security information. 11 Cross-site scripting is defined as the injection of client side scripts often of a malicious nature into web pages to overcome security features. Establish a standards-based development methodology and confirm security assurance through vulnerability assessment.
About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process services, dedicated to helping the world’s leading companies build stronger businesses. Head- quartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technol- ogy innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 100 development and delivery centers worldwide and approxi- mately 233,000 employees as of March 31, 2016, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. About Cognizant Security Testing A key component of Cognizant’s Quality Engineering and Assurance business unit, our Security Testing practice provides end-to-end security testing services and ensures our clients’ IT applications are pro- tected from security threats and their customers’ data and privacy is protected. The group is comprised of over 300 certified security testers who have successfully delivered security testing engagements to 100-plus customers. Our application security assessments focus on a benchmarked review of vulnerabili- ties against various standards including the OWASP (Open Web Application Security) top ten list, comple- mented by support for remediation and compliance management services. Our security testing solutions preempt security vulnerabilities of the modern digital ecosystem and improve organizational resilience. To learn more, please visit https://latestthinking.cognizant.com/quality-engineering-and-assurance. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: infouk@cognizant.com India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com ­­© Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. About the Authors Nagaraju Padavala is Associate Director of Projects within Cognizant’s Quality Engineering and Assurance business unit. He has more than 14 years of rich non-functional testing experience. Nagaraju has played various roles ranging from a performance test consultant to performance delivery head for major accounts across a wide variety of clients in all geographies. He currently leads the Security Testing Practice and other digital NFT solutions such as SMAC performance, IoT NFT and OAT within the company’s Non-Func- tional Testing Center of Excellence. Nagaraju holds a masters degree in engineering, power systems, has earned Project Management Professional (PMP) certification and is an HP LoadRunner Certified Product Consultant (CPC). He can be reached at Nagaraju.Padavala@cognizant.com. Madhu Jatheendran is an Associate Director, Projects within Cognizant’s Quality Engineering and Assurance business unit. He has 19 years of experience in IT in a variety of roles from programmer to program manager with experienced running teams of 250-plus personnel for a variety of clients. Currently, Madhu leads non-functional quality assurance from a vendor perspective for a major retail banking client in the UK. He is also responsible for non-functional testing services in the UK/CE region, including security and accessibility testing. Madhu has a bachelor’s degree in electronics engineering from Bangalore University, an MBA from the University of Oxford and MSP certification in program management. He can be reached at Madhu.Jatheendran@cognizant.com. Kavitha Jayaraman is a Senior Manager of Projects within Cognizant’s Quality Engineering and Assurance business unit. She has 12 years of experience in the IT industry, including 10 years of rich experience in information security. Kavitha has played various roles from security analyst/consultant to building security centers of excellence for various organizations such as Hewlett-Packard and Symantec before joining Cognizant. She has authored and presented application security white papers at various conferences such as Swiss Testing Day and ISQT, among others. Kavitha holds a degree in electronics and communication engineering from Bharathiar University. She can be reached at Kavitha.J@cognizant.com. Codex 1869

More Related Content

DOCX
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
PPTX
Healthcare IT Security Threats & Ways to Defend Them
CheapSSLsecurity
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
PDF
Data Security in Healthcare
Quick Heal Technologies Ltd.
 
PPTX
Cyber Security Landscape: Changes, Threats and Challenges
Bloxx
 
PDF
100+ Cyber Security Interview Questions and Answers in 2022
Temok IT Services
 
PDF
ICION 2016 - Cyber Security Governance
Charles Lim
 
PDF
Getting ahead of compromise
CMR WORLD TECH
 
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Healthcare IT Security Threats & Ways to Defend Them
CheapSSLsecurity
 
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
Data Security in Healthcare
Quick Heal Technologies Ltd.
 
Cyber Security Landscape: Changes, Threats and Challenges
Bloxx
 
100+ Cyber Security Interview Questions and Answers in 2022
Temok IT Services
 
ICION 2016 - Cyber Security Governance
Charles Lim
 
Getting ahead of compromise
CMR WORLD TECH
 

What's hot (18)

PDF
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
PDF
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET Journal
 
PPTX
Risks and Security of Internet and System
Param Nanavati
 
PDF
C02
newbie2019
 
PPTX
Three trends in cybersecurity
Alexander Deucalion
 
PPTX
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
PPTX
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
Symantec
 
PPTX
Summer internship - Cybersecurity
AbhilashYadav14
 
PPTX
Information Security Management System in the Banking Sector
Samvel Gevorgyan
 
PDF
The Seven Kinds of Security
Veracode
 
PDF
SME Cyber Insurance
Netpluz Asia Pte Ltd
 
ODP
Cyber Security for Financial Institutions
Khawar Nehal [email protected]
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
PDF
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
PDF
Cyber Security and the National Central Banks
Community Protection Forum
 
PDF
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 
PPTX
Web application firewall solution market
SameerShaikh225
 
PDF
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET Journal
 
Risks and Security of Internet and System
Param Nanavati
 
C02
newbie2019
 
Three trends in cybersecurity
Alexander Deucalion
 
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
Symantec
 
Summer internship - Cybersecurity
AbhilashYadav14
 
Information Security Management System in the Banking Sector
Samvel Gevorgyan
 
The Seven Kinds of Security
Veracode
 
SME Cyber Insurance
Netpluz Asia Pte Ltd
 
Cyber Security for Financial Institutions
Khawar Nehal [email protected]
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cyber Security and the National Central Banks
Community Protection Forum
 
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 
Web application firewall solution market
SameerShaikh225
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Ad

Similar to Application Security: Safeguarding Data, Protecting Reputations (20)

DOCX
Backtrack manual Part1
Nutan Kumar Panda
 
PDF
What is Penetration Testing?
Rapid7
 
PDF
Why Penetration Tests Are Important Cyber51
martinvoelk
 
PDF
Vulnerability Assessment.pdf Vulnerability Assessment
JohnFelix45
 
PDF
Information Security
divyeshkharade
 
PDF
Information Security
Madushan Sandaruwan
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
PDF
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
PDF
Penetration testing must die
Security BSides London
 
PDF
Introduction to Website Pentesting.pptx.pdf
apurvar399
 
PDF
How to Keep Hackers Out of Your Organisation
IBM Danmark
 
PDF
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
PDF
Penetration Testing Guide
Badawy Abd El-Aziz
 
PDF
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Bo Birdwell
 
PPTX
It security cognic_systems
Cognic Systems Pvt Ltd
 
PDF
Cyber Security Company.pdf
pdfcompressor1
 
PDF
AN OVERVIEW OF PENETRATION TESTING
IJNSA Journal
 
PDF
2015-03-24 IT Security - What You Need to Know
Raffa Learning Community
 
PPT
M Kamens Iia Financial Services Presentation At Disney
kamensm02
 
PDF
Application Lecurity Lectures by professor
OmarKhattab41
 
Backtrack manual Part1
Nutan Kumar Panda
 
What is Penetration Testing?
Rapid7
 
Why Penetration Tests Are Important Cyber51
martinvoelk
 
Vulnerability Assessment.pdf Vulnerability Assessment
JohnFelix45
 
Information Security
divyeshkharade
 
Information Security
Madushan Sandaruwan
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
Penetration testing must die
Security BSides London
 
Introduction to Website Pentesting.pptx.pdf
apurvar399
 
How to Keep Hackers Out of Your Organisation
IBM Danmark
 
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Penetration Testing Guide
Badawy Abd El-Aziz
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Bo Birdwell
 
It security cognic_systems
Cognic Systems Pvt Ltd
 
Cyber Security Company.pdf
pdfcompressor1
 
AN OVERVIEW OF PENETRATION TESTING
IJNSA Journal
 
2015-03-24 IT Security - What You Need to Know
Raffa Learning Community
 
M Kamens Iia Financial Services Presentation At Disney
kamensm02
 
Application Lecurity Lectures by professor
OmarKhattab41
 
Ad

More from Cognizant (20)

PDF
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Cognizant
 
PDF
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Cognizant
 
PDF
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
Cognizant
 
PDF
Intuition Engineered
Cognizant
 
PDF
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
Cognizant
 
PDF
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Cognizant
 
PDF
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
Cognizant
 
PDF
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
Cognizant
 
PDF
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Cognizant
 
PDF
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Cognizant
 
PDF
Green Rush: The Economic Imperative for Sustainability
Cognizant
 
PDF
Policy Administration Modernization: Four Paths for Insurers
Cognizant
 
PDF
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
Cognizant
 
PDF
AI in Media & Entertainment: Starting the Journey to Value
Cognizant
 
PDF
Operations Workforce Management: A Data-Informed, Digital-First Approach
Cognizant
 
PDF
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Cognizant
 
PDF
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Cognizant
 
PDF
Crafting the Utility of the Future
Cognizant
 
PDF
Utilities Can Ramp Up CX with a Customer Data Platform
Cognizant
 
PDF
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Cognizant
 
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Cognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
Cognizant
 
Intuition Engineered
Cognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Cognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
Cognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Cognizant
 
Policy Administration Modernization: Four Paths for Insurers
Cognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
Cognizant
 
AI in Media & Entertainment: Starting the Journey to Value
Cognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Cognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Cognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Cognizant
 
Crafting the Utility of the Future
Cognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Cognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Cognizant
 

Application Security: Safeguarding Data, Protecting Reputations

  • 1. Application Security: Safeguarding Data, Protecting Reputations Assessing IT systems and network vulnerabilities in today’s interconnected digital world is a daunting endeavor. By embracing penetration testing’s best practices and procedures, organizations can proactively and affordably address security loopholes before hackers undermine customer confidence, brand reputation and financial well-being. Executive Summary In today’s connected digital ecosystem, applica- tions are center stage, influencing all the ways in which we interact and communicate. These applications contain sensitive data and deliver business-critical information services, and as a result even the smallest security loophole is exploited by cybercriminals looking to wreak havoc. While numerous cybercrime incidents have occurred over the years that damaged customer confidence and brand reputation, solving inherent information security challenges remains a work in progress for many organizations. The hacking challenge is so steep, that born- digital companies Yahoo and Google recently partnered to create an encrypted e-mail system 1 that allegedly cannot be decrypted even by the companies themselves. Clearly, our lives are increasingly reliant on digital devices, many of which are prone to security hacks. As a result, there is a grave concern about security, reinforced by recent events: • In January 2016, a large Belgian bank was attacked by cybercriminals that cost the bank 70 million euros, although no customers were affected by the breach. This type of attack is called a whaling attack or spear-phishing. 2 • In August 2015, the U.S. Internal Revenue Service reported that about 300,000 taxpayers’ personal information was compromised when hackers cracked the agency’s multi-step authentication process and were able to make fraudulent claims for tax refunds using stolen identities. 3 • In November 2015, a Switzerland-based encrypted e-mail provider’s Internet connection was held for ransom by hackers in what could be described as a distributed denial of service (DDOS) attack. 4 cognizant 20-20 insights | june 2016 • Cognizant 20-20 Insights
  • 2. cognizant 20-20 insights 2 • In October 2015, a UK phone and broadband provider’s website was hacked by cyber- criminals who may have pilfered confidential banking details and personal information. This type of attack could be described as a sequential attack or SQL injection. 5 • In February 2015, a large U.S. health insurer’s database was breached, and sensitive informa- tion that affected about 80 million customer records was stolen. This was described as a sophisticated advanced persistent threat (APT), where a malicious user gains access to internal networks primarily to steal data. 6 This white paper talks about the importance of penetration in the digital arena and the process involved in preventing it. It also talks about the types of penetration testing, testing strategy and the costs involved in cybersecurity. Debunking Security Myths, Working Proactively to Plug Vulnerabilities Information plays a crucial role in every aspect of today’s modern digital world. Companies have launched more efficient ways to swiftly and safely deliver information and application services to end users inside and outside their firewalls. Safe- guarding such high volumes of data from cyber- attacks is a cumbersome task for most organiza- tions. Let’s start by debunking some myths that surround the concept of security testing (see Figure 1 below). While most organizations implement firewalls, SSL encryption and secure policies, every now and then they still become victims of cyber- attacks. The aforementioned incidents are proof that cyberattacks are not specific to any industry and can cause business distruption or, worse, undermine brand confidence or unleash financial damage that could challenge the very existence of any company. Attacks involving the loss of customer data and/or theft of important company information begin with the realization that the enterprise has been penetrated, followed by concern over what the breach has actually damaged. By then, it is often too late for the company to protect itself and its customers. Incorporating security testing early in the software development lifecycle can help orga- nizations identify application and infrastruc- ture vulnerabilities before cybercriminals strike. Periodical penetration testing helps unravel the organization’s current security posture. Incorporating security testing early in the software development lifecycle can help organizations identify application and infrastructure vulnerabilities before cybercriminals strike. Myth 2 Myth 1 Myth 3 • Myth 1: We have firewalls in place, which can protect our digital assets from threats. Fact: Firewalls can protect the system at the network level to a certain extent, but an attack could permeate through the application layer which cannot be tackled by firewalls. • Myth 2: Our applica- tions are internal and thus are not exposed to the Internet. • Fact: Many orga- nizations prioritize protecting the corporate information jewels from external attacks, but insider attacks are, sadly, more prevalent. Insiders have authorized system access and are familiar with the network architecture and policies. • Myth 3: Secure sockets layer (SSL) technology protects a website from intruders. Fact: Implementing SSL is not enough to protect websites from hackers as these can be exploited by forcing the browser to use low-encryption algorithms and decrypt the traffic, which leads to a “man- in-the-middle attack.” Figure 1
  • 3. Defining Penetration Testing In simple terms, penetration testing is an in-depth security assessment that identifies the security loopholes in a system, from applications through infrastructure, which hackers use to exploit the system. It is an attempt to examine and evaluate by safely exploiting the vulner- abilities that may exist in operating systems, services and applications due to improper con- figuration management, insecure coding, weak design elements and incorrect implementation of security policies and procedures. Once vulnerabilities have been successfully exploited on a particular system, the compro- mised system can be used to launch attacks on the interconnected infrastructure to achieve higher privileges and take down the remaining portions of the network and related systems. Moreover, preventive measures taken by organizations to safeguard assets against such occurrences are a hallmark of effective penetration testing. Penetration testing helps customers protect company assets from cyberattacks. It helps define the vulnerabilities as identified by Open Web Application Security Project (OWASP), SysAdmin, Audit, Network, and Security (SANS) and Open Source Security Testing Methodology Manual (OSSTM) standards. In addition, it allows business leaders to understand the impact of those vulner- abilities in the real world. Where Penetration Testing Fits Today’s technology-intensive world pivots around applications that are complex to build, and that must scale internally and externally to fit most business needs. Though Web applications are now the predominant means for delivering infor- mation services to customers and internal users, there are many layers between the users and the database that house critical data. Hackers who can compromise the security of Web applications would gain access not only to sensitive data but gain the keys to the enterprise information archi- tecture kingdom. To prevent this from occurring, penetration testing can be applied to: • Identify security breaches that could result in business loss. • Comply with industry standards and regula- tions by ensuring that applications comply with industry standards such as ISO 27001, PCI DSS, NIST, FISMA HIPAA and Sarbanes-Oxley. • Enable an organization to avoid penalties for noncompliance by demonstrating a commitment to security due diligence and compliance. The Penetration Testing Process Our security assessment methodology covers the following security assessment guidelines: • OWASP top 10 vulnerabilities. • OWASP Application Security Verification Standard (ASVS). • SANS top 25. • OSTMM. • Web Application Security Consortium (WASC) guidelines. These standards define the process of penetra- tion testing using the following steps: • Manual inspections and reviews. • Threat modeling: >> Breaking the application down into its com- ponents. >> Classifying the assets protected/contained by that application. >> Exploring vulnerabilities, threats and other issues. >> Creating mitigating strategies. • Source code review (static application security testing): >> Manual and automated scans for trojan hors- es, time bombs, backdoors, etc. >> Procedures for deployment that may expose vulnerabilities. • Penetration testing: >> Web application penetration testing (dynam- ic application security testing). >> Infrastructure penetration testing. Penetration testing helps customers protect company assets from cyberattacks. Hackers who can compromise the security of Web applications would gain access not only to sensitive data but gain the keys to the enterprise information architecture kingdom. cognizant 20-20 insights 3
  • 4. cognizant 20-20 insights 4 Formulating an Effective Strategy A comprehensive security testing approach can help uncover systems and network vulnerabilities. • Understand the security architecture and test the architecture rather than focusing on vul- nerabilities as listed in OWASP or SANS. • Verify whether the system has followed essential security principles such as: >> Fail securely. >> Defense in depth. >> Separation of privilege. >> Least privilege. • In the case of a multitier architecture, the approach should cover testing all tiers and all horizontal layers such as network, OS, server container frameworks and the server container that houses the application. Required sample tests include: >> Firewalking: Sending crafted network pack- ets to predict the firewall rules. >> Web application penetration tests. >> Web service tests. >> Database penetration tests. >> Network penetration tests. >> OS hardening tests. • In an ideal scenario, it is a good practice to test all the tiers and components involved, but in reality there is hardly enough time and budget to perform all of these tests. In such situations, risk-based testing can be conducted to: >> Analyze the level of changes made to each system. >> Analyze the risks from previous security scans on the same components. >> Assess a threat advisory issued on specific components. • A risk-based comprehensive approach provides the desired level of security validation in a cost- effective way. The Cost of Security The cost of security incidents depends on the type of incidents experienced and the number of incidents that have occurred. Generally, security incidents increase year on year. According to security software vendor Kaspersky, 7 the most expensive types of incidents involve: 8 • Worm, spyware and other malicious programs. • Vulnerabilities in existing software. • Accidental or otherwise sharing of data by staff. • Loss or theft of staff mobile devices. • Network intrusion or hacking. The cost of a security breach will always be prohib- itive when compared with the cost of protection. Moreover, a constantly evolving threat landscape adversely impacts the cost of security to be borne today and in the immediate future. Kaspersky also reported, “Roughly 90% of the companies with which we work or have spoken with confirm that they consistently confront security incidents that vary from malware attacks, to DDOS, to targeted intrusion attacks.” Given the variety, it is worthwhile to understand how common security attacks differ. • Phishing: This type of attack entails tricking or attracting a user to reveal sensitive information for malicious purposes in electronic communi- cation. The simplest example in this category is the “Nigerian e-mail” scams (where the sender asks for access to banking information). • Malware: Malicious software attacks occur with the insertion of small bits of code, or self-standing installable code, that will run according to a predetermined trigger or event, causing anywhere from a mild annoyance to more sophisticated data/processing breaches. One of the most famous of these is the “Dyre or Dridex Trojan” malware attacks that essentially is a redirection attack (sending the user to a spurious site rather than a real one, for example, during a banking operation) that utilizes a Microsoft Office attachment containing a poisoned macro. • DDOS: This is one of the most common to hit major sites. The modus operandi here is to simply overwhelm a site by hitting external facing IP addresses with a flood of service requests, to the point where the website infra- structure is unable to keep up, resulting in a site outage. Banks and financial institutions face multiple such attacks on a weekly basis. • Premeditated hacking: These advanced forms of persistent threats include a com- bination of attempts to maliciously target a website or application and steal/deface intel-
  • 5. cognizant 20-20 insights 5 lectual property. The attacker uses a combina- tion of measures including phishing, malware and DDOS attacks. Such attacks are usually successful if the attacker has insight into network traffic flows, has access to entry and exit points via IP addresses and can exploit inherent vulnerabilities to gain access to confi- dential data that is not encrypted. • Network “worms”: Network travelling worms are essentially virus attachments to traveling packets of data, which are then either spread by launching remote copies of the same code or are used to penetrate computer memory. Beyond these most common types of attacks, a wide variety of application-based attacks are used which are equally effective, which include attacking mechanisms such as SQL injection,9 password and hash cracking10 and cross–site scripting.11 Figure 2 depicts a sample of the items that a vulnerability assessment should cover when looking at applications. Keeping Security Testing Effective and Affordable Much of the cost for fighting cybercrime should be contained within the overall quality assurance budget. Genuine penetration testing, however, depends on the complex scenarios identified by the organization with respect to its infrastruc- ture and the amount of human or manual effort required to deliver and complete a successful test strategy. One such mode is IP-based testing. For example, more complex models of penetra- tion testing require a detailed understanding of the workload or traffic payload flowing through specific IP addresses that pose a security threat. Once the traffic workload has been calculated, based on services that are connected to the external network, a price per testable service can be determined. Penetration testing can then be tailor-made to the requirements of an enterprise and its budget. SAST and DAST Decoded Over and above penetration testing, code and application level security testing – specifically static access security testing (or SAST, which is code-level security scanning) and dynamic access security testing (DAST) – are usually in budgets for application development and deployment projects. As many testing efforts in SAST and DAST are tool-based, tool license pricing forms a large part of the expenditure. Factors often looked at in pricing include but are not limited to: lines of code to be scanned or number of scans to be performed; types of scenarios to be scanned; and checking and rejection of “false positives” data and support available. Assessment of Potential Threats Figure 2 Internal, External, Humanly Motivated, Ethical Hacks, Serious Hacks, APT, Accidental Arch., Design, Code, Application Front End, Database, Middle Web Services & Infrastructure, Social Media, Cloud Hosting and Mobile Front Tier, Middle Tier, Back Tier Insufficient Authentication Parameter Manipulation Lack of Encryption in Sensitive Data, SQL Injections Invalidated Inputs Flaws in Authenticating and Authorizing Identities DTD Entity Reference Attack Database External XML Entity Attack • Web Applications • Mobile Apps • Cloud-Hosted Solutions • Social Media Integration • Network & Infrastructure • Internet of Things • End Point Security Integration Server Web/App Server Insufficient Transport Layer Security Security Misconfiguration Handling Exceptions Insufficient Authorization Session Hijacking & Cookie Replay Attacks, Cross Site Scripting Black Box (Manual & Automated) White Box (Automated & Manual) • Threat Modeling • Code Review • Application Scan • Database Scan • Infra Scan Firewall Technologies Database Server Lack of Encrypting or Hashing Sensitive Data Web Applications REST API MQTT coAP Custom
  • 6. cognizant 20-20 insights 6 Looking Forward: Security Questions Every Organization Must Answer • Did your organization undergo a recent merger or acquisition? Chances are some of the appli- cations acquired through mergers could have vulnerabilities that may not be protected by the existing perimeter defense’s rules. • Are your business-critical applications risk- rated or do they have enough protection against known threats? Have you evaluated them against your organization’s risk appetite? Evaluate your application’s security posture through a vulnerability assessment exercise and ensure your business-critical applications stay within your organization’s risk appetite. • Is your development team’s choice of technology, framework and software develop­ ment guided by documented and approved security standards? Establish a standards- based development methodology and confirm security assurance through vulner- ability assessment. • Does your organization use custom applica- tions often developed under tight timelines? Chances are your development team might have been forced to cut corners and develop vulnerable applications. Identify such applica- tions and conduct a thorough vulnerability assessment of these applications to avoid mis- adventures in the future. • Even if the application has not undergone any change, has your organization thought about how vulernable applications are to new or emerging threats/vectors? Perform periodic security assessment to assess the security posture and the frequency of assessment as defined by a risk score based on the criticality of the application. Footnotes 1 Collins. Katie, “Yahoo and Google to collaborate on encrypted email,” August 8, 2014, www.wired.co.uk. 2 Zorz, Zeljka, “Belgian bank Crelan loses €70 million to BEC scammers, ” January 26, 2016, www.helpnet- security.com. 3 Ashford, Warwick, “More than 300,000 US taxpayers affected by data breach,” August 18, 2015, www.computerweekly.com. 4 Thielman, Sam, “ProtonMail: encrypted email provider held ransom by hackers,” November 5, 2015, www. theguardian.com. 5 BBC UK, “TalkTalk cyber-attack: Website hit by ‘significant’ breach” (www.bbc.co.uk, October 23, 2015) 6 Riley, Charles, “ Insurance giant Anthem hit by massive data breach” (www.cnn.com, February 6, 2015) 7 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” October 31, 2013, www.media. kaspersky.com. 8 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” page 15, October 31, 2013, www.media.kaspersky.com. 9 SQL injection is defined as the insertion of malicious SQL statements for execution primarily to exploit database or data storage content. 10 Hash cracking is defined as a tool or methodology used to recover encrypted or “hashed” passwords/ other security information. 11 Cross-site scripting is defined as the injection of client side scripts often of a malicious nature into web pages to overcome security features. Establish a standards-based development methodology and confirm security assurance through vulnerability assessment.
  • 7. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process services, dedicated to helping the world’s leading companies build stronger businesses. Head- quartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technol- ogy innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 100 development and delivery centers worldwide and approxi- mately 233,000 employees as of March 31, 2016, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. About Cognizant Security Testing A key component of Cognizant’s Quality Engineering and Assurance business unit, our Security Testing practice provides end-to-end security testing services and ensures our clients’ IT applications are pro- tected from security threats and their customers’ data and privacy is protected. The group is comprised of over 300 certified security testers who have successfully delivered security testing engagements to 100-plus customers. Our application security assessments focus on a benchmarked review of vulnerabili- ties against various standards including the OWASP (Open Web Application Security) top ten list, comple- mented by support for remediation and compliance management services. Our security testing solutions preempt security vulnerabilities of the modern digital ecosystem and improve organizational resilience. To learn more, please visit https://latestthinking.cognizant.com/quality-engineering-and-assurance. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: [email protected] European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: [email protected] India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: [email protected] ­­© Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. About the Authors Nagaraju Padavala is Associate Director of Projects within Cognizant’s Quality Engineering and Assurance business unit. He has more than 14 years of rich non-functional testing experience. Nagaraju has played various roles ranging from a performance test consultant to performance delivery head for major accounts across a wide variety of clients in all geographies. He currently leads the Security Testing Practice and other digital NFT solutions such as SMAC performance, IoT NFT and OAT within the company’s Non-Func- tional Testing Center of Excellence. Nagaraju holds a masters degree in engineering, power systems, has earned Project Management Professional (PMP) certification and is an HP LoadRunner Certified Product Consultant (CPC). He can be reached at [email protected]. Madhu Jatheendran is an Associate Director, Projects within Cognizant’s Quality Engineering and Assurance business unit. He has 19 years of experience in IT in a variety of roles from programmer to program manager with experienced running teams of 250-plus personnel for a variety of clients. Currently, Madhu leads non-functional quality assurance from a vendor perspective for a major retail banking client in the UK. He is also responsible for non-functional testing services in the UK/CE region, including security and accessibility testing. Madhu has a bachelor’s degree in electronics engineering from Bangalore University, an MBA from the University of Oxford and MSP certification in program management. He can be reached at [email protected]. Kavitha Jayaraman is a Senior Manager of Projects within Cognizant’s Quality Engineering and Assurance business unit. She has 12 years of experience in the IT industry, including 10 years of rich experience in information security. Kavitha has played various roles from security analyst/consultant to building security centers of excellence for various organizations such as Hewlett-Packard and Symantec before joining Cognizant. She has authored and presented application security white papers at various conferences such as Swiss Testing Day and ISQT, among others. Kavitha holds a degree in electronics and communication engineering from Bharathiar University. She can be reached at [email protected]. Codex 1869