ACE Services Drops Case Study Flick on Security Development Lifecycle for IT
Hello everyone, my name is Anmol Malhotra and I’m a Security Technologist with ACE [Application Consulting & Engineering] Services team. We are a global team delivering application security services to Microsoft’s esteemed enterprise level customers. Ace Services recently did a case study with First American Title Insurance Company, the second largest title insurance company in the United States.
Microsoft partnered with First Am to assess the security of the user interface of the FAST application and to help First Am build an application security development lifecycle based upon Microsoft’s Security Development Lifecycle for IT (SDL-IT).
Following are brief details about this case study. Also check out the Case study video and check out what First Am has to say about their experience with our SDL-IT process.
Click the link to see the Video: Security Development Lifecycle for IT
Customer Profile
First American Title Insurance Company, a subsidiary of The First American Corporation, with 2004 revenues of U.S.$6.7 billion. In 2002, the company deployed First American Software Technology (FAST), an integrated title and escrow system that unified disparate systems into a centralized database. FAST is a three-tiered intranet web-based application that services FAST users across a WAN (Wide Area Network) infrastructure. Today, the mission-critical FAST application is hosted on a centrally hosted SQL Server database, with more than 4 terabyte of information, supports 12,000 users in 1,300 offices.
Business Situation
First American Title insurance company wanted to incorporate a streamlined process to ensure security of its mission critical FAST [First American Software Technology] application and their customer’s data. They wanted to closely integrate security in to present software development lifecycle.
Solution
Our goal was to help First Am improve its exiting processes and help them weave security into the application development lifecycle with the aim of minimizing risk to customers and the company itself. To get started on this mission, ACE services conducted a two days SDL-IT training at First Am which highlighted how Microsoft’s Security Development Lifecycle for IT (SDL-IT) application security process can help optimize resource allocation, proactively identify security issues, verify security and help them drive continued improvement in developing secure applications.
We closely worked with information security group at First Am to help them adapt a risk assessment methodology so that going forward they can utilize this process to identify most critical applications and take effective risk management decisions.
SDL-IT training also covered secure application development training which helped developers identify security issues and ways to mitigate them. We started with the design review for FAST and also created a Threat Model using our Threat Analysis and modeling tool.
Once we started conducting security code review for the FAST application we found that after the training, many of the developers have started identifying security issues on their own and without any help from us. They could now really understand the threat impact and value of the suggested countermeasure by us. Over a period of 2 weeks we completed the security review of the FAST application and submitted a comprehensive report to First Am about how they can improve and implement security measures in the application.
For more information about Ace Services & how we can help secure your applications drop an email to: aceques-nospam@microsoft.com
Anmol Malhotra
Security Technologist
Microsoft -ACE Services