State-of-the-art analysis and reporting of security vulnerabilities and risks for a global energy provider
Expert Thinking delivers a modern Azure data solution to a global energy provider. Working collaboratively with Riversafe (https://riversafe.co.uk/), we developed a DevSecOps security vulnerability analysis and reporting application providing our customer with a consolidated view of security vulnerabilities and risks across all in-scope applications and DevOps pipelines that enabled our customer to pro-actively reduce their threat landscape.
CHALLENGE
Our customer needed to establish a consolidated view of their security and risk position across application code and their DevOps pipelines using proprietary outputs from multiple security and code scanning tools. Specific challenges included:
- Deployment of an MVP within ten weeks onto their managed service Azure platform.
- Security was of paramount importance given the extremely sensitive nature of the data.
- Analysis of data from various COTS and bespoke DevSecOps tools required structured data to be ingested in various formats via RESTful APIs.
- The solution needed to be extensible, aligned with internal architecture strategy and supportable as new security tools are implemented, and reports defined.
SOLUTION
Expert Thinking, working closely with RiverSafe, delivered the end-to-end solution from the ground up (MVP within 10 weeks). We led the platform architecture design, complex data modelling, engineering the solution end-to-end across platform, analytics and reporting. Key activities included:
- Architecting the Azure solution (ADLS, AAS, ADF, KeyVault, Enterprise Data Warehouse and PowerBI).
- Integrating five upstream systems, including commercially available vulnerability scanning tools (Checkmarx and BlackDuck), Azure DevOps and internally developed bespoke platforms & tooling.
- Analysed data sources and user requirements to establish a common model for the source data sets so that compound reports could be delivered based on organisation, risk, pipeline instance or other application attributes.
- Development of the application across lake, warehouse, Analysis Services and PowerBI – ADF pipelines were used to extract data from source systems via RESTful APIs into the lake and across to the data warehouse based on the defined data model.
- Implementing Azure Analysis Services cubes to feed both PowerBI (for canned reports) and to enable power users to undertake their own modelling of the datasets securely (row-level security).
- Created relevant IaC code (ARM, JSON) for application deployment into the managed service Azure platform, implementing PESTER test automation to assure build and deployment of the solution.
Result
We successfully delivered a dynamic, powerful data platform and analytics solution that provided consolidated, informed and insightful reporting of the security and risk position across all in-scope applications and DevOps pipelines, resulting in:
- Fully integrated reporting of the CI/CD solution exposing security risks and code vulnerabilities, enabling common weaknesses in the environment or the developer community to be recognised and fixed.
- Reduced threat exposure through better quality code eliminating/reducing security vulnerabilities before deployment.
- Trend analysis of developer behaviour enabling mentoring/training to specific individuals/teams or across the organisation based on the results found.
- Better release decisions drawing on a more informed, consolidated view of the risk position.
- Post-deployment analysis across application code when a new vulnerability is discovered (e.g. open-source code) – impact analysis and prioritisation can be made.
