Security Design and Architecture

Secure Design and Architecture

Are you ready to launch your project and need to consider the security implications before going live?

 

Our consultants are experts in secure coding, security design and architecture. We can review and identify risks in your design and offer guidance. This ensures that security is aforethought in your design and that you are aware of any and all potential security issues.

 

Secure Code Reviews

Code reviews are designed to identify coding security flaws by testing with both automated tools and manual penetration testing. The Red Cursor secure code review process uses both automatic static code analysis tools combined with manual human analysis to find vulnerabilities within application source code. The  human reviewer manually verifies each finding to remove false positives, determine the exploitability, and calculate the risk to the organisation.

 

Our automated static code analysis verifies source code to conform with a predefined set of rules or best practices. Automatic analysis is faster than manual analysis and can be executed at depth, checking every possible code execution path. The drawbacks to automatic analysis are that computers cannot understand developer intent, computers cannot check for issues that are not statically enforceable, and there can be false positives. The manual human analysis follow-up to the tools overcomes these trade-offs. The reviewer knows the tools and knows what rules provide reliable results and what rules provide weak results. Manual analysis can uncover business logic or authorisation related issues that are often impossible for a computer to understand. For example, automatic analysis would not understand the application roles and who can execute what functionality. The combined hybrid approach provides the best results and discovers the most vulnerabilities with the highest degree of accuracy.

 

Architecture and Design Reviews

Red Cursor’s architecture and design reviews are designed to take an overall holistic view of an application or project and identify security risks that the business may be susceptible to. This catch-all approach covers all security aspects of a business including policies, procedures, and actual configurations of security controls.

 

As part of these reviews Red Cursor identifies:

 

  • How the system operates (e.g. is the application designed in a secure way, are there unacceptable risks)?
  • What data it has access to (e.g. can it access confidential information)?
  • What data it is storing (e.g. is it storing more personal information that it needs)?
  • What permissions it has (e.g. can the system write changes to the system)?
  • What additional entry points are there to the system?

 

To perform these reviews, a Red Cursor principal consultant will first review the documentation for a project. Then they will hold a workshop with an infrastructure engineer/system administrator/network administrator to run through a list of questions about the configuration. Finally, they will then identify risks that need to be manually validated by checking configurations.

 

Business Security Reviews

Red Cursor’s business security reviews are targeted towards companies that that don’t have dedicated security teams. They are designed to take an overall holistic view of a business and identify security risks that the business may be susceptible to. This approach differs from traditional penetration testing by specifically targeting common mistakes that lead to security incidents. This catch-all approach covers all security aspects of a business including policies, procedures, and actual configurations of security controls.

 

To perform this audit a Red Cursor principal consultant holds a workshop with an infrastructure engineer/system administrator/network administrator to run through a list of questions about their configurations, policies and procedures. The consultant will then perform manual checks of specific items from the Internet.

At a very high level the auditing process can be broken down into the following categories:

 

  • Vulnerability visibility and management controls
  • Network segregation and access controls
  • Account management policies and procedures
  • Internal network hardening
  • External facing infrastructure hardening
  • Wireless security hardening
  • SOE hardening controls
  • Remote access controls
  • 3rd party remote access controls
  • Incident response capabilities
  • Malware protection and detection
  • Email security
  • Governance and legal requirements
  • Mobile device security controls

 

The advantage of this approach is a highly skilled security professional will review your overall security posture and identify the areas requiring effort and resources.

 

Essential Eight Maturity Reviews

The Essential Eight are mitigation strategies developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) to prioritise and prevent cyber security incidents. Three maturity levels have been defined by ACSC for each mitigation strategy. These are based on how thoroughly an organisation aligns with the intent of each mitigation strategy.

 

Red Cursor’s review methodology is built on years of expertise security standards and hardening guidelines. It is also constantly being updated as new vulnerabilities and techniques are being discovered.

 

To perform this review Red Cursor will hold a workshop to discuss each strategy and confirm to what extent you have implemented each strategy.