Media Centre  > Media Centre > Case Studies > Leading European Insurer  
 
 
 
bullet_newell_red.gif Leading European Insurer

Sopra Group Assists Leading European Insurer To Reduce Application Security Threats

Sopra Group was engaged by one of Europe's leading multi-line general insurance companies to conduct an application security open system review against their B2C website.

This insurer uses an extensive online capability to conduct its business and recognises the need to maintain appropriate information security controls to minimise the business risk resulting from internal and external threats.

To achieve this, the business decided to go to the market to find an external 3rd party organisation that could provide independent application and network security assurance services.

Solution

Sopra Group's security experts conducted application and network level penetration testing against the B2C site.  The application security testing was focused on detecting the Open Web Application Security Project (OWASP) top ten application security vulnerabilities.  This included tests for the following:

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS) Flaws
  • Buffer Overflows
  • (Command) Injection Flaws (not limited to SQL Injection)
  • Improper Error Handling
  • Insecure Storage
  • Insecure Configuration Management
  • Excessive Information Leakage
  • Hidden Fields Manipulation.

The team then met with the Heads of IT and Security, business representatives and the hosting organisation, to formally present the findings of the application security review.  A number of application level security vulnerabilities were identified which were deemed to present unacceptable risk to the business and an immediate plan of action was agreed to mitigate these issues in the live environment.

Working in collaboration with the customer team, the security specialists from Sopra Group developed a number of potential risk treatment strategies which ranged from source code rework through to revision and review of internal policies and processes surrounding incident alerting and response.

In order to provide a composite real-time view of the security perimeter, including application security attacks, it was agreed that an integrated information security management system would be deployed.

The deployed solution allows the client to collect and analyse audit log source feeds from multiple sources including firewalls, application security gateway devices, IDS probes and applications, and combines this with realtime threat information to provide not only a single security view of the client's estate but also allowing them to proactively respond to the latest emerging threats.

Benefits

Receiving independent application security services from Sopra Group's security experts has provided many benefits to the customer including:

  • Requisite independent assurance for meeting Internal Audit requirements
  • Specialist application security expertise to supplement their existing internal security skill sets
  • Pragmatic reporting based on real-world experience
  • Independent product evaluation and recommendation consultancy
  • Solution provides proactive real-time view of application and network security incidents, enabling the organisation to identify and react more quickly to attacks.
  Return To Top   Email Us   Sopra Group Global Important Information
Copyright © 2001-2009, Sopra Group. All rights reserved.