Spotlight on CRED: Benchmarking security with a BSIMM assessment
CRED, a fintech company and BSIMM member since early 2022, underwent a BSIMM assessment to benchmark their security processes.
CRED, launched in 2018, provides financial services and lifestyle features, and has been a member of the BSIMM community since early 2022. CRED provides a wide variety of product offerings from lifestyle to personal finance. It has a strong ethos of upholding and meeting client’s demands, and the #SecurityFirst culture at CRED has been ingrained into its culture from its start.
The challenge
The security team at CRED strongly believes in building a great team of engineers and in the importance of establishing a strong information security presence. The team is involved in research and development of CRED’s ever-growing security ecosystem. CRED’s security culture includes:
Advanced learning sessions: Each week, team members conduct research into emerging security flaws and lead educational sessions for the security team. These sessions include a deep dive into new security vulnerabilities, how they can be exploited, their mitigations, and a capture-the-flag challenge for team members to fully understand the vulnerability.
- Threat modeling: For each new feature or product release, CRED’s security team conducts a security threat modeling exercise to identify potential design flaws, edge cases, data flows, and architecture choices, all of which could result in certain risks to the company.
- Security Bugbash: This gamified exercise is performed once a quarter to look for new vulnerabilities or threats in the CRED application. This introduces fresh perspectives, inventive exploitation scenarios, and approaches that aid in the team’s search for bugs and security flaws.
- Capture-the-flag competition: Hackception is a company-wide information security competition hosted by the security team. Participating in Hackception helps developers think creatively about how to exploit software, and how to code securely.
- Security hackathon: During this event, the team brainstorms new automation that can reduce recurring manual efforts and identifies projects that could improve the team’s security maturity. This practice drastically reduces manual effort in security reviews and assists the team in identifying vulnerabilities earlier in the SDLC.
CRED’s fast-paced software development cycles regularly undergo rigorous security reviews, with, for example, more than 350 internal microservices updated multiple times a day, changes that are deployed in several iterations (during release cycles), and mobile applications that are thoroughly tested before shipping. Furthermore, as part of the vulnerability management process, weekly, quarterly, and annual vulnerability assessments and penetration testing (VAPT) activities are scheduled.
The security team has also deployed automations that integrate and aid the overall security review process. Patronus and Adhrit, two of such automations, are available as open source to the security community. These automations helped CRED reduce the time needed to complete the security review process overall. Given all this, the company wanted to benchmark its current security posture to see how it ranked against other companies.
The solution
CRED opted to undergo a BSIMM assessment to identify, and if necessary, correct any maturity gaps before proceeding with further growth. Although only three years old, CRED’s security posture approaches that of more mature organizations.
The results
CRED’s BSIMM assessment helped it identify areas of potential growth and gain deep insights about industry benchmarks as well as maturity gaps in its internal processes. Figure 1 shows CRED’s current posture, measured against multiple disciplines of security and compared with other organizations that have undergone BSIMM assessments.
Figure 1: CRED compared to other BSIMM assessments
As part of CRED’s BSIMM assessment, assessors met with multiple CRED stakeholders from a variety of teams to better understand CRED’s working processes. From the discussions that took place during the assessment, it became clear that software release cycles go hand-in-hand with thorough security review processes. CRED’s #SecurityFirst culture keeps the overall security posture maturing and growing.
“CRED’s BSIMM assessment was performed in a meticulous manner with certified assessors, subject matter experts with years of expertise. The assessment helped CRED accomplish its objectives of assessing, identifying room for improvement, and benchmarking itself against maturity models adopted by organizations across the globe. The BSIMM assessment results were clear in its discoveries, including all aspects of the executive summary, ingrained technical details, and well-defined metrics.”
—CRED Security Team
Interested in a BSIMM assessment?
*** This is a Security Bloggers Network syndicated blog from Application Security Blog authored by Synopsys Editorial Team. Read the original post at: https://www.synopsys.com/blogs/software-security/bsimm-assessment-case-study-cred/
