Supply Chain Attacks: Your Cyber Security is Our Priority
AQA-STM SDLC Security Controls
As part of our service and product implementation due diligence, Dawn InfoTek Inc. has been conducting vendor security assessments and AQA-STM threat assessments in accordance to the clients’ cyber security standards. Dawn InfoTek Inc. has a track record in maintaining low risk profile always under security review scrutinizations from all of our clients including major financial institutions.
As part of the Dawn InfoTek Inc. SDLC security control standard, any open-source libraries are subject to a thorough review before they are adapted. The panel consists of our senior solution architect, development lead, and chief information security officer. As a general rule, only well-established open-source libraries that are widely accepted will be shortlisted for consideration.
As part of the Dawn InfoTek Inc. SDLC security control standard, mandatory security scanning is required periodically as well as before each release version is going through the testing cycle. This will allow us to detect and fix potential vulnerabilities. Manual penetration testing is also conducted before each major software update.
Dawn InfoTek Inc.’ source code repositories are hosted in a secure and fortified environment. Remote access is only accessible through the Dawn InfoTek Inc. internal network, and VPN connection logs are monitored by our security team’s custom log monitoring configuration. In addition, user level access is also enforced to only allow authorized users to make code changes.
AQA-STM Solution Concepts
AQA-STM is a synthetic monitoring tool, and it is used for monitoring application availability from the end user perspective by emulating how end users interacting with the particular application. The requirements are crafted by application owners, and the synthetic transactions/traffic are identical in nature as regular traffic. This type of monitoring is fundamentally different from the monitoring solutions that has in-depth visibility into the IT infrastructure and code level details.
In a recent high-profile cyber breach incident, a platform monitoring tool fell victim to a targeted supply chain attack. Such platform/infrastructure monitoring tools generally require software agents to be installed on client servers to collect system and application information and feed collected information to a centralized processing module. These agents usually require fairly high system permissions, and network exemptions could be required as well on the client servers. To carry out an evasive attack, malware could be injected into the agents, and the monitoring activities provide the perfect camouflage on malicious activities because of the system permission and network exemptions required by these agent-based monitoring solutions.
AQA-STM doesn’t require any agents to be installed on the client servers since its monitoring objective it to simulate an end user.
Fewer and fewer organizations would build their digital applications from scratch internally in this age. The use of vendor products and opensource codes are prevailing in constructing a large-scale enterprise application. Inevitably this practice attracts cyber criminals to target their attacks on vendor products and opensource codes, so the malicious codes could be absorbed by the downstream enterprise applications as another common form of supply chain attacks.
AQA-STM is a self-contained monitoring software which does not inject any codes into our client’s applications.