Taking a Preventative Approach to Cloud Security
Rally® (www.rallyhealth.com) simplifies health care, making it easier for companies and employees to manage complex benefits and improve overall health. Among its other responsibilities, the Rally development team supports critical services within the Rally digital ecosystem to establish user identities and to verify eligibility. Rally uses cloud provider PaaS services and an IaaS virtual infrastructure (including Amazon Web and Relational Databases Services, as well as MongoDB and Scala) that span their identity management, provider, patient eligibility, end user, and privileged user systems.
We wanted a thorough architectural risk analysis on our cloud infrastructure, especially around our authentication and eligibility systems. We wanted someone who was extremely tech-savvy, which was a hard requirement for us. One of the reasons we chose Black Duck was for that level of technical expertise, and that we were guaranteed to have the same person who interviewed with us to do our review, which some of the other candidates couldn’t guarantee."
Nathan Coleman
|Rally Health, Inc.
Rally had three major areas encompassing their external security evaluation:
- The security posture of their core authentication and authorization systems.
- Their security controls.
- Insight into the threat landscape for their runtime environment.
- The configuration review provided an in-depth assessment of the security posture of Rally’s cloud infrastructure and audited the runtime configuration of their deployed cloud applications and security controls to identify weaknesses, giving a snapshot report describing how the configuration met or did not meet security goals.
- The penetration test identified what sensitive data was managed within Rally’s business model and explored applications to catalogue exposed portions subject to attack and how they might be exploited. Each issue was tested in order of perceived risk using a hybrid of manual and tool-based analysis for both runtime and secure code analysis.
“The ARA verified our understanding about the architecture and provided recommendations for us,” says Coleman. “The coded system penetration test and configuration review gave a clear path for remediation—‘here’s an issue with the configuration and here’s how you fix it.’ The penetration test was informed by the ARA, giving less false positives. The configuration review was probably the easiest to directly funnel to our workflow.”
“Our overall experience with Black Duck was professional and informative,” concludes Coleman. “We really want to be involved in the security community, and we really want to push the envelope of security. Working with Black Duck helped us move closer to both those goals.”
Company Overview
Rally Health, Inc., is a consumer-centric digital health company that makes it easy for individuals to take charge of their health and wellness, working with health plans, providers, and employers to reimagine consumer health engagement. Rally’s integrated platform helps employees, payers, providers, and employers maximize the potential of their health and the health care system.
Resources to manage your AppSec risk at enterprise scale
Software Vulnerability Snapshot
Learn about the 10 most common web and software app vulnerabilities
Download the report
Managing Risk at Scale
Learn how to gain visibility and secure your apps across the enterprise
Download the white paper
BSIMM14
Get the trends and recommendations to help improve your software security program
Download the report
Improve your AppSec program TCO and risk posture
Three steps to consolidate your effort, insight, and tools
Download the guide