Situation
NCC Group supported a multi-national technology organization by implementing security within their development practices centered on open source code management and the reliance on the Android operating system (OS).
NCC Group enabled the client to minimize the risk of new products, due for release by Christmas, being targeted by hackers attempting to harm the reputation of the company and associated revenues from security researchers utilizing the bug bounty program.
Thanks to the support that NCC Group provided, the company was able to improve the use of open-source code segments and Android OS in order to reduce the risks associated with new products being released. This was particularly important for the client ahead of a Christmas product launch.
At a Glance
Organization: Multi-National Tech Organization
Industry: Tech
Challenge: Performing product security assessment to ensure the security of a new product line
Solution: Secure Development Lifecycle (SDL) consultancy to identify all the security aspects of the device to ensure these were considered within their development processes
Result: Improvement in the use of open source code segments and Android OS which reduced the risks associated with their critical new products being released into the market
Challenge
The multi-national technology organization was looking to perform a product security assessment to ensure its new product line was secure. Their product lifecycle spanned a calendar year and was a mix of waterfall (overall product) and agile (components, i.e. wireless, Bluetooth) approaches. The product under assessment was the next release of their smart TVs aimed to be in the market for peak Christmas trading.
NCC Group was therefore utilized to provide the customer with a focused view of security risk areas and improvements needed in their security development practices. The customer had a large codebase that had been refactored from an Android-based OS. This process still allowed Android-based code to be re-used, which allowed the client to provide services that were still under development.
However, this increased the likelihood of vulnerabilities being present in the product as the Android codebase is open source and there are multiple contributors to their repositories. The volume of open source code is also a significant challenge to manage throughout development and future support as well as the legal constraints of the license model per code segment.
The client had been constructing their own proprietary OS for a significant period of time to reduce the dependency on Android-based code. However, they were still in the progress of creating the necessary building blocks as they went through a re-architecture process of the OS.
This re-architecture process was required in order to favor the hardware produced and to increase the security of the content being processed/displayed which was a legal requirement from the content providers (i.e. Netflix) to support digital rights management (DRM).
Therefore, NCC Group provided the security expertise to understand the threats and risks associated with their development model and dependencies in order to manage the risks of using open-source code plus a refactored Android-based OS.
Solution
NCC Group provided SDL consultancy to identify all the security aspects of the device to ensure these were considered within their development processes. Utilizing our experience of assessing and supporting the implementation of secure development frameworks such as SAMM and BSIMM, NCC Group provided a view on the maturity of their use and management of open-source code. NCC then advised on how to implement technology, processes, and people-based changes to improve.
In addition, NCC Group also provided the following support:
- Identified and provided expertise in the technical analysis of the open-source code segments from a security point of view.
- Recommended Software Composition Analysis (SCA) tools, which could provide a technology platform for the client to manage the risk associated with third-party libraries, OSS, and licenses.
- Recommended the client conduct a deep analysis of the Android-related code that they wanted to leverage and to actively report any issues identified to them in order to leverage the benefits of crowd-sourcing.
These lead to NCC Group identifying an issue that could have led to a security compromise of a particular device which was able to be mitigated prior to release. NCC Group’s final recommendation to the client was to provide training to their development teams in applied cryptography and how to protect critical application information.
Result
As a result of the expertise and support NCC Group provided, the multinational technology company was able to improve the use of open-source code segments and Android OS in order to mitigate the risks associated with critical new products being released into the market. Through analysis of current practices against industry best practices, NCC Group was able to provide targeted and high-impact advice to improve the security of its products.
Get Started on Your Cyber Security Journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.