Tag Archive for: Benchmarking

Spotlight on CRED: Benchmarking security with a BSIMM assessment

/in


CRED, a fintech company and BSIMM member since early 2022, underwent a BSIMM assessment to benchmark their security processes.

CRED, launched in 2018, provides financial services and lifestyle features, and has been a member of the BSIMM community since early 2022. CRED provides a wide variety of product offerings from lifestyle to personal finance. It has a strong ethos of upholding and meeting client’s demands, and the #SecurityFirst culture at CRED has been ingrained into its culture from its start.

The challenge

The security team at CRED strongly believes in building a great team of engineers and in the importance of establishing a strong information security presence. The team is involved in research and development of CRED’s ever-growing security ecosystem. CRED’s security culture includes:
Advanced learning sessions: Each week, team members conduct research into emerging security flaws and lead educational sessions for the security team. These sessions include a deep dive into new security vulnerabilities, how they can be exploited, their mitigations, and a capture-the-flag challenge for team members to fully understand the vulnerability.

  • Threat modeling: For each new feature or product release, CRED’s security team conducts a security threat modeling exercise to identify potential design flaws, edge cases, data flows, and architecture choices, all of which could result in certain risks to the company.
  • Security Bugbash: This gamified exercise is performed once a quarter to look for new vulnerabilities or threats in the CRED application. This introduces fresh perspectives, inventive exploitation scenarios, and approaches that aid in the team’s search for bugs and security flaws.
  • Capture-the-flag competition: Hackception is a company-wide information security competition hosted by the security team. Participating in Hackception helps developers think creatively about how to exploit software, and how to code securely.
  • Security hackathon: During this event, the team brainstorms new automation that can reduce recurring manual efforts and identifies projects that could improve the team’s security maturity. This practice drastically reduces manual effort in security…

Source…

White House blames Russian spy agency SVR for SolarWinds hack – Benchmarking Change

/in


The White House said in a statement on Thursday that Russia’s foreign intelligence service, known as the SVR, was responsible for the SolarWinds hack, which led to the compromise of nine federal agencies and hundreds of private sector companies.

Senior US government officials had already said the Russian government was responsible for the sprawling cyber attack, but Thursday’s announcement offers the first formal statement pinning the operation on a specific agency.

The White House statement was paired with a series of sanctions against five Russian cyber security firms, which the Treasury Department said had been involved in supporting Russian cyber operations.

SVR has reportedly dismissed the claim as “nonsense” and “windbaggery”.

While some national security experts say the SolarWinds hacking operation could be viewed as a traditional espionage activity that is not uncommon between government hackers, the Treasury Department in its statement said the “scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern.”

The National Security Agency, FBI and Cybersecurity Infrastructure Security Agency also revealed on Thursday that the SVR was exploiting five known computer software vulnerabilities.

The announcement came with links to a series of related software patches by the companies who make those products, including VMware and Fortinet.

“The vulnerabilities in today’s release are part of the SVR’s toolkit to target networks across the government and private sectors. We need to make SVR’s job harder by taking them away,” Rob Joyce, NSA director of cybersecurity, said.

Source…