The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Spotlight on CRED: Benchmarking security with a BSIMM assessment

Black Duck Editorial Staff

Feb 08, 2023 / 3 min read

CRED, a FinTech commerce company launched in 2018, provides its members with a distinguished FinTech experience through elegant financial services and delightful lifestyle features. It has a strong ethos of meeting member demands, and the #SecurityFirst culture at CRED has been ingrained from the inception.

CRED has been a member of the BSIMM community since early 2022. By undergoing a BSIMM assessment, CRED wanted to identify, and if necessary, correct any maturity gaps before proceeding with further growth.

In pursuit of excellence

The security team at CRED strongly believes in building a great team of engineers, as well as the importance of establishing a solid information security presence. The team is involved in the research and development of CRED’s ever-growing security ecosystem. CRED’s security team has successfully implemented

  • Advanced learning sessions: Each week, team members research emerging security flaws and lead educational sessions for the security team. These sessions include a deep dive into new security vulnerabilities to discover how they can be exploited and their mitigations, plus a capture-the-flag (CTF) challenge for team members to fully understand the vulnerability.
  • Threat modeling: For each new feature or product release, CRED’s security team conducts a threat modeling exercise to identify potential design flaws, edge cases, data flows, and architecture choices that could result in risks to the company.
  • Security Bugbash: This gamified security exercise is performed once a quarter to look for new vulnerabilities or threats in the CRED application. This teamwork introduces fresh perspectives, inventive exploitation scenarios, and approaches that aid in the team’s search for bugs and security flaws.
  • Capture-the-flag competition: Hackception, a CTF event, is a company-wide information security competition hosted by the security team. Participating in Hackception helps developers think creatively about how to exploit software and how to code securely.
  • Security hackathon: During this event, the team brainstorms new automation to reduce recurring manual tasks and identifies projects that could improve the team’s security maturity. This practice drastically reduces manual effort in security reviews and assists the team in identifying vulnerabilities earlier in the software development life cycle.

CRED’s fast-paced software development cycles regularly undergo rigorous security reviews, with, for example, more than 500 internal microservices updated multiple times a day, changes that are deployed in several iterations (during release cycles), and mobile applications that are thoroughly tested before shipping. Furthermore, weekly, quarterly, and annual vulnerability assessment and penetration testing (VAPT) activities are scheduled as part of the vulnerability management process."

Himanshu Das

|

CISO, CRED

The security team has also deployed numerous automations that integrate and aid the overall security review process. Patronus and Adhrit, two such automations, are available as open source to the security community. These automations helped CRED reduce the time needed to complete the overall security review process.

BSIMM assessment

CRED’s security team is only three years old, and its security posture is reaching that of organizations further along in their security journey. The average age of organizations that scored near CRED in the BSIMM assessment is 9.6 years. CRED could be considered one of the industry’s few young companies with this level of maturity.

bssim score dist

Figure 1: BSIMM score distribution

CRED’s BSIMM assessment helped its security team identify areas of potential growth and gain deep insights into maturity gaps in its internal processes. Figure 2 shows CRED’s current posture measured against multiple disciplines of security that are used as yardsticks for the BSIMM assessment, compared to an average of organizations that have already been assessed under BSIMM.

cred comparsion

Figure 2: CRED compared to the average of other BSIMM assessments

Conclusion

As part of CRED’s BSIMM assessment process, assessors met with multiple CRED stakeholders from different teams, which helped them understand CRED’s working processes. Discussions during the assessment emphasized that software release cycles go hand-in-hand with thorough security review processes. And CRED’s #SecurityFirst culture includes additional activities like security hackathons and advanced learning sessions that keep the overall security posture maturing and growing.

CRED’s BSIMM assessment was performed meticulously with certified assessors and subject matter experts with years of expertise. The assessment and its team helped CRED accomplish its objectives of assessing, identifying room for improvement, and benchmarking itself against maturity models adopted by organizations across the globe. BSIMM assessment results were clear in its discoveries, including all aspects of the executive summary, ingrained technical details, in addition to well-defined metrics."

FinTech commerce company

|

CRED Security Team

                                                   Interested in a BSIMM assessment?

Continue Reading

Explore Topics