Advancing Cyber Posture for a Federal Agency Through Comprehensive Penetration Testing

The Solution Strategy

Makpar offers the following services that support the mission of this federal agency:

• Comprehensive penetration testing and red teaming

• Threat modeling

• Vulnerability assessment

• Code security and analysis

• General security assessment

For this case study, the solution strategy for penetration testing included a repeatable five-step approach that included:

The solution strategy also involved implementing a Scalable Threat Modeling approach, utilizing a pattern-based methodology to identify common architectural patterns across the client's applications. This approach allowed for the development of targeted mitigation strategies to address identified vulnerabilities, align with industry best practices and integrate seamlessly into the client's existing AppSec testing framework.

From a code security and analysis perspective, Makpar's code reviewers and security engineers conducted thorough assessments, providing vulnerability reports with detailed insights into likelihood, impact, and severity.

OWASP's Threat Modeling tools

Adhering to the Makpar repeatable five-step approach to penetration testing highlighted above.  

• The agency customer can identify and fix vulnerabilities before they are able to be exploited by malicious threat actors.

Challenge

Due to its significant interaction with external stakeholders, constituents, and other federal agencies, a large federal agency had a broad threat surface it had to secure. The agency needed support for its comprehensive cybersecurity strategy aimed at meeting regulatory requirements, preventing data breaches, and proactively identifying and mitigating cybersecurity vulnerabilities.

These compliance requirements included adherence to Federal mandates such as the Federal Information Security Modernization Act (FISMA), National Institute of Standards and Technology (NIST) Special Publications (SP) 800 -53 and 800-115, and the Federal Risk and Authorization Management Program (FedRAMP).

The agency customer also faced recurring medium-level security vulnerabilities in their legacy web applications, particularly related to the "Missing Secure Attribute in Encrypted Session (SSL) Cookie" issue. This vulnerability affected a significant portion of their application portfolio, necessitating a scalable solution to mitigate the risk.

Tools Used

HCL AppScan Enterprise (ASE) for Dynamic Application Security Testing (DAST)

Best Practices

Integrating threat modeling into the CI/CD pipeline, ensuring continuous updates to the threat model based on new findings and adopting a pattern-based approach for rapid scaling across multiple applications.

• The customer significantly reduced the presence of the medium level "SSL Cookie" vulnerability across their application portfolio. This proactive approach not only enhanced the security posture of their applications but also reduced the time and resources required for ongoing security assessments.

Custom scripts developed to automate aspects of the threat modeling process

Supporting secure code reviews and integrating SAST and DAST into DevOps processes.

Benefits & Results for Clients

Main Benefits for Clients

• The penetration testing team worked closely with the federal agency Security Operations Center to help them improve their ability to detect and block malicious activity on the network.

Key Takeaways

• In today’s rising threat environment, PTCS is vital for any agency to understand and mitigate any cyber vulnerability.

• A pattern-based approach to threat modeling effectively scales security efforts across multiple applications.

• Government agencies now have a method for understanding threats from external actors and how to best mitigate these threats.

Want to discuss how Makpar can help achieve your agency’s modernization goals? Get in touch with us today.