Case Study: Global energy provider

State of the art analysis and reporting of security vulnerabilities for a global energy provider.

Requirements

Our customer needed to establish a consolidated view of their security and risk position across application code and their DevOps pipelines using proprietary outputs from multiple security and code scanning tools. Specific requirements included:

  • Deploying an minimum viable product (MVP) within ten weeks onto their managed service Azure platform.
  • The platform being highly secured given the extremely sensitive nature of the data.
  • Being able to analyse data from various Commercial Off the Shelf (COTS) and bespoke DevSecOps tools requiring structured data to be ingested in various formats via RESTful APIs.
  • Being extensible, aligned with internal architecture strategy and supportable as new security tools were implemented, and reports defined.

Critical success factors:

Data security

Ensure the data warehouse and data lake were very carefully secured as the data contained within the solution highlighted specific weaknesses in application code, meeting internal standards and guidelines.

Integration and extensibility

Ensure the solution could be extended to on-board additional services in the future

Adhering to deadlines

Meeting timelines for the MVP.

Our solution

This was a complex delivery in a very short timeframe. The integration of data from upstream systems was implemented using Azure Data Factory via RESTful APIs for various commercially available security tools. These were a mix of SaaS, Open Source and on-premise services, each with unique data models and data attributes. We focused initially on the platform architecture design, the complex data modelling, engineering the solution end-to-end across platform, analytics and reporting. Key activities included:

  • Architecting the Azure solution (ADLS, AAS, ADF, KeyVault, Enterprise Data Warehouse and PowerBI).
  • Integrating five upstream systems, including commercially available vulnerability scanning tools (Checkmarx and BlackDuck), Azure DevOps and internally developed bespoke platforms & tooling.
  • Analysing data sources and user requirements to establish a common model for the source data sets so that compound reports could be delivered based on organisation, risk, pipeline instance or other application attributes.
  • Development of the application across lake, warehouse, Analysis Services and PowerBI – ADF pipelines were used to extract data from source systems via RESTful APIs into the lake and across to the data warehouse based on the defined data model.
  • Implementing Azure Analysis Services cubes to feed both PowerBI (for pre-canned reports) and to enable power users to undertake their own modelling of the datasets securely (row-level security).
  • Created relevant IaC code (ARM, JSON) for application deployment into the managed service Azure platform, implementing PESTER test automation to assure build and deployment of the solution.

The benefits

  • Fully integrated reporting of the CI/CD solution exposing security risks and code vulnerabilities, enabling common weaknesses in the environment or the developer community to be recognised and fixed.
  • Reduced threat exposure through better quality code eliminating/reducing security vulnerabilities before deployment.
  • Trend analysis of developer behaviour enabling mentoring/training to specific individuals/teams or across the organisation based on the results found.
  • Post-deployment analysis across application code when a new vulnerability is discovered (e.g. open-source code) – impact analysis and prioritisation can be made.

Highlights:

Reduced Risk

Early warning of potential weaknesses in application code as part of the deployment pipeline, ensuring weaknesses were visible before deployment to production.

Extensible Platform

A dynamic, powerful data platform and analytics solution that could be extended to ingest data from additional security tools in the future

Single Source of Truth

Consolidated reporting of the security and risk position across in-scope applications and DevOps pipelines.

Talk to the
cloud experts.

Whether you are considering using cloud for the first time or have already embraced it, you need to work with a specialist - contact us today.