• ESC Region 20
• Title Insurance Co.
• Life Science Co.
• McMillin Homes
• STBTC

Case Study

Large Publicly Traded Life Science Company

Key Business Challenge

A large publicly traded life science company wanted to evaluate and improve the security state of one of its critical enterprise web applications in order to reduce operational risks. In addition, the company wanted training so its team could develop secure software on an ongoing basis.

Background

Originally developed in ASP Classic, one of the company's critical enterprise web applications had recently undergone a rewrite to run under Microsoft's ASP.NET platform. They planned to remove the earlier version of the application from service in the near future and to transition their clients to the updated version.

Denim Group Solution

Denim Group delivered a combination of approaches to help the company understand their current risk exposure and to reduce their exposure to future risks.

• Black Box Assessment. Because the ASP Classic application was still in production but not under active development, Denim Group began with a black box assessment of the application. This helped to determine the application's current security state in the production environment and to identify potential risks to which the company might have been exposed. While a source code review might have provided more in-depth information about the security state of the system, Denim Group deemed the added scrutiny as economically unnecessary because it was slated to be decommissioned shortly.
• Source Code Review. The ASP.NET version of the application was in production under lighter use and slated to handle the bulk of transactions going forward, so Denim Group performed a full white box source code review of this application. This provided the client with information about potential security defects in the application as well as more specific information about the current coding practices of their development team. Based on this information, Denim Group provided suggestions on how to improve these practices to reduce the company's risk exposure.
• Training. Denim Group crafted a custom training program for the client's development staff based on information about potential security defects that had been introduced during the development and deployment of the most recent application. Denim Group customized the training content to emphasize the areas requiring the most attention while making it a priority to maximize the value of this developer time spent away from development tasks.

ROI Value Statement
Denim Group's targeted approach helped to provide the greatest reduction of risk to the life science company as a whole while maximizing the value to their development team for the future. The client gained valuable insight into the security state of their critical deployed legacy systems as well as forewarning of potential future risks. Context-appropriate training was used to transfer security knowledge to the client's development team in a way that maximized training value while minimizing disruption for the development team's schedule.