A Case Study: Security Audit for SaaS Application
And Their Associated Process 

An Indian auto components manufacturer company chose AthentianTech to conduct a security audit of the out-sourced partner leading global service provider company for their SaaS and workflow processes across the following functions like business process and technology management, offering a broad spectrum of services in finance and accounting (FAO)

Executive Summary 

A global business process and technology management company is a technology company that performs the complete end-to-end financial processes for a large automotive manufacturing company using their homemade SaaS service hosted on cloud infrastructure. We were asked to carry out a comprehensive Security Audit of the procedures followed, identity data leaks and vulnerability in their workflow. Since they were carrying out due diligence of the outsourced company, we were called in to carry out the same and identify security Risks.  

Audit Team

Col Sunil Kapila (Retd.)  

Key Use Cases of work done by Athenian Tech

  • We employed our security audit process with security tool. A small team of two guided by our CTO carried out most of the security audit remotely with only two days of initial understanding.
  • We showcased the actual working findings with real-time outcomes to enable and convince the client’s security and IT and Operations Team of the correctness of the findings.
  • We also carried out post correctness audit to give satisfaction to the senior management.
  • We also carried out security awareness on best practices to prevent data leakage and maintenance.
  • To guidance on how to improve the internal team level of security processes. Some reports snapshots to be adequate added.

Benefits for the Client

Remote, semi-automated conduct of our process integrated with our tool-suite gave to automotive manufacturing company actionable report data, graphs, and the written reports to improve their security posture. Real-time collaboration between the client team and our security team helped in getting better outcomes. Reduced reliance on any expensive commercial tools - saving time and money Despite covid-19 WFH guidelines, the project was successfully implemented. We added to the Security testing of the SaaS Application. We also carried out Process improvements to their Workflow.

Problem Solved

Online access to clients applications and process flow to identify the security vulnerabilities. There was some denial in accepting the Security Finding between the QA, Operational team and Security Software Development Team. Their teams also spent a lot of time emailing back and forth with their external security audit agency to find answers and fix the problem areas. The Audit had to be mainly be done remotely and in a timely fashion.

How do we carry out the Security Audit to overcome the?

The user-friendly interface that automatically typesets their work, in real-time, in the browser. Integrated and merged the findings from various tools using Templates and a streamlined workflow.The activities covered as part of scope for ‘Information Security Risk Assessment’ by Athenian are as follows: Check and balances around: i) Confidentiality ii) Integrity iii) Availability as per ISO 27001:2013

  • Application      
  • Data at rest
  • Data at movement
  • Networks
  • Access control
  • Infrastructure
  • Environmental and people

Athenian audit team create objective to understand the operating environment of technology management company and ascertain its ISMS requirements in accordance with ISO 27001:2013 standard requirements. Perform a detailed risk assessment exercise to identify current level of risk exposure and assess the existing level of compliance to security controls.

Audit Execution
Virtual as well as Face-to-face interaction took place to have a deep dive into the audit process.The following were seen and appropriate evidence are enclosed:

Application Walkthrough: Completed a product walkthrough and the evidence for role configurability and role-based menu drop downs is enclosed as account payablen process.

Infosec: The evidences for internal audit, the training conducted and Phishing info dissemination is attached as AP-2

Project Specific: Team Structure is included as AP-3Team Structure

IT Development : Development version control et-al are enclosed as AP-4 and AP-5-Dev Environment.docx

IT Infra : VAPT Report and other evidences

During the information security risk assessment activity, the Athenian team has identified 24 observations which are further categorised into High (03 nos.), Medium (07 nos.), Low (04 nos.) and informational (10) severities, based on the risk and the associated impacts.
The chart below depicts the numbers of Critical, High, Medium, Low and Informational risk observations identified during the review.

Critical Findings Text...

Detailed gaps and recommendations

This section presents the key observations, risk rating, and their respective recommendations and areas of improvement identified during the Information Security Risk Assessment Report.

Key observations:

Detailed gaps and recommendations

Evidence Collected from Client

Recommendations for Technology Management Company

  • Hygiene issues with POC’s were observed. There should be a proper Internal Infra Segmentation Document, and more hardening of devices is required.
  • Secure coding practices for DevOps must be introduced.
  • DLP must be suggested to customers for endpoint security purposes.