19 April, 2023
Codific recently hosted our Spring Summit with our Burgas team!
It was a highly productive gathering filled with activities to improve our products and services. As a leader in secure software development, we always prioritise the quality of our products through privacy by design architecture. In these summits, we aim to push our applications to the limits, test them, and advance the overall usage and security, building a safe and secure digital future.
With that in mind, we conducted several workshops that would help us achieve our goals. Our team focused on three main exercises throughout the week.
- Disaster Recovery Planning
- Threat Modelling
- Testing our application Attendance Radar
So let’s dive into each topic…
Disaster Recovery Planning
One of the workshops was on business continuity planning, including hands-on disaster simulation exercises. This activity helped us fine-tune our internal guidelines and checklists in case of the unthinkable. We strongly believe that Disaster Recovery Planning is a necessity, and it only took us half a day per software product. By doing these simulations, we were able to identify any potential weak spots in our processes and work on them immediately.
Lessons Learned:
-
- Implementing even a few basic Disaster Recovery Planning processes is essential, having some level of preparation is better than having none at all. A minimum preparation can highly contribute to return on investment during a crisis.
-
- Communication and brainstorming on potential problems helps bring up issues that one could not easily contemplate alone. It builds creativity for both problem solving, and thinking of potential weaknesses in a system.
-
- Best practices for contingency planning during a security breach is a tough situation to crack. It all boils down to determining the moment of the breach and its scope, which can be virtually impossible. This sort of analysis requires time and a highly specialised team of experts. Our team took a lot of time to go through each possible situation and a suitable recovery and response.
Threat Modelling
Another workshop we ran in the Spring Summit was Threat Modelling. We brought our whole team together and conducted a “theoretical hacking” situation of all our applications. The entire team participated in these exercises, regardless of the product they work on. The purpose of this exercise was to identify potential threats that could compromise our applications security. This produced very valuable insights and our team was able to determine approximately ten threats with different risks for each application. Testing these threats allows us to build a safer and more secure product.
One unique aspect of our threat modelling workshops is that it enabled us to focus on the most applicable and risky issues in our software systems. Threat modelling allows us to zoom out a bit and take a broader look at potential threats. By doing so, we can focus on the most critical issues and mitigate them quickly.
Lessons Learned:
-
- Penetration testing is an essential practice in your security posture. Although, “blind” pen tests by third parties are unlikely to uncover the most risky issues in your software system. However, combining threat modelling with penetration testing is guaranteed to add the best overall security testing efforts.
-
- Threat modelling has somewhat the reputation of being complicated and taking too much effort and preparation. That is a myth. With an expert moderator, you can go through a two-hour threat modelling session and find out more threats than your pen testers can in a week.
-
- While Codific developed a threat modelling tool (which is now discontinued), we start to believe that tools are overrated when it comes to threat modelling. A dry erase board with a marker is all you need.
Attendance Radar Testing
Lastly, we spend an immense amount of time testing our Attendance Radar application. Our developers were asked to focus on breaking the application which led to the discovery of several bugs and vulnerabilities. We were able to address these issues and are excited to release a substantially improved version of Attendance Radar in the coming days.
Conclusion on this years Spring Summit
Overall, it was a highly productive event that allowed us to improve our products and services significantly. By focusing on disaster recovery planning, threat modelling, and testing our products, we can ensure that we’re up to the highest standards of security and preparedness. Our Spring Summit was an excellent step in that direction.