Product Development and Delivery Controls Against Supply Chain Attacks
As we enter into the era of business digitalization, any organization’s IT infrastructure is facing increasing risk of cyber-attacks. A major cyber breach could have devastating impact on an organization’s operation since critical confidential information such as customer PII and financial data are at stake. Supply chain attacks are on the rise in the past few years due to its evasive nature where cyber criminals target the less secure segment in an organization’s IT infrastructure where vendor service and/or vendor software products are used.
As a leading IT solution provider, our clients’ cyber security has always been one of our top priorities in product development and delivery. Dawn InfoTek Inc. is well informed and well prepared to eliminate the risks of our monitoring product – AQA-STM being targeted as supply chain attack point of breach. Sufficient security measures are in place in terms of both the the SDLC security controls as well as the fundamental solution concepts.
AQA-STM SDLC Security Controls
- Full compliance with client-side security standards
- As part of our service and product implementation due diligence, Dawn InfoTek Inc. has been conducting vendor security assessment and AQA-STM threat assessment in accordance to the clients’ cyber security standards. Dawn InfoTek Inc. has maintained its track record in maintaining low risk profile always under such scrutinization from all of our clients including major financial institutions.
- Strict review process of adapting opensource libraries
- As part of the Dawn InfoTek Inc. SDLC security control standard, any open-source libraries are subject to a thorough review before they are adapted. The panel consists of our senior solution architect, development lead, and chief information security officer. As a general rule, only well-established open-source libraries that are widely accepted will be shortlisted for consideration.
- Security scanning and testing
- As part of the Dawn InfoTek Inc. SDLC security control standard, mandatory security scanning is required periodically as well as before each release version is going through the testing cycle. This will allow us to detect and fix potential vulnerabilities. Manual penetration testing is also conducted before each major software update.
- Access controls
- Dawn InfoTek Inc.’ source code repositories are hosted in a secure and fortified environment. Remote access is only accessible through the Dawn InfoTek Inc. internal network, and VPN connections logs are monitored by our security team’s custom log monitoring configuration. In addition, user level access is also enforced to only allow authorized users to make code changes.
AQA-STM Solution Concepts
- Synthetic Monitoring vs Infrastructure/Platform monitoring
- AQA-STM is a synthetic monitoring tool, and it is used for monitoring application availability from the end user perspective by emulating how end users interacting with the particular application. The requirements are crafted by application owners, and the synthetic transactions/traffic are identical in nature as regular traffic. This type of monitoring is fundamentally different from the monitoring solutions that has in-depth visibility into the IT infrastructure and code level details.
- Agentless deployment vs Agent-based deployment
- In a recent high-profile cyber breach incident, a platform monitoring tool fell victim to a targeted supply chain attack. Such platform/infrastructure monitoring tools generally require software agents to be installed on client servers to collect system and application information and feed collected information to a centralized processing module. These agents usually require fairly high system permissions, and network exemptions could be required as well on the client servers. To carry out an evasive attack, malware could be injected into the agents, and the monitoring activities provide the perfect camouflage on malicious activities because of the system permission and network exemptions required by these agent-based monitoring solutions.
- AQA-STM doesn’t require any agents to be installed on the client servers since its monitoring objective it to simulate an end user.
- Separation from client’s application code vs Vendor code injection
- Fewer and fewer organizations would build their digital applications from scratch internally in this age. The use of vendor products and opensource codes are prevailing in constructing a large-scale enterprise application. Inevitably this practice attracts cyber criminals to target their attacks on vendor products and opensource codes, so the malicious codes could be absorbed by the downstream enterprise applications as another common form of supply chain attacks.
- AQA-STM is a self-contained monitoring software which does not inject any codes into our client’s applications.