Case Study:

Security Automation for the Cloud

About the client

Credit Saison is a Japanese financial services company founded in 1951. They are the third largest credit card issuer in Japan, with over 20 millions cardholders in Japan alone. As part of their initiative to expand into Asia, they set up Credit Saison India in 2019 to offer services and financing to SMEs and consumers in India. 

Cutting edge tech needs cutting edge security

Credit Saison India built a robust app stack to store and handle their clients’ financial data, and use sophisticated analytics to manage their operations. Their engineering team used a decentralised microservices stack hosted on a scalable AWS cloud layer to handle a high volume of transactions. 

The app needs to constantly communicate with third party services, which meant we had to test the security and integrity of data in transit. To secure their internal APIs against brute-force attacks, we recommended they implement a stronger SAML authentication across the board. 

Our team also set up a regression suite, codifying the vulnerabilities we found into exploit automation scripts. These were included in Credit Saison’s build pipelines to test for vulnerabilities on every release.

Since the app had to pull in a lot of data from the ERP and supply chain systems, we45’s assessment focused on uncovering flaws that would allow for unauthorised access to data, or the manipulation of data in transit.

This was where our client saw their most serious security vulnerabilities, including unrestricted file uploads by users and lower-privilege users being able to access datasets they weren’t authorised for. Naturally, this wasn’t good for
data confidentiality.

The company’s engineers worked quickly. By using randomly generated values to identify datasets in the backend, they remediated the vulnerabilities we’d identified, patching up the most critical ones first.

The empowerment from working with we45 has us thinking of security as a proactive process rather than a passive reactive one.

Break through the cloud                       

We then shifted our focus to their cloud environment, identifying misconfigurations across all their AWS services, including IAM, Logging & Monitoring, Secrets management, Storage & Networking controls.

We assisted their engineering team in incorporating secure configurations in their Cloud Formation (CFN) scripts. With our help, they were able to make changes in how developers provisioned services and deployed their apps

Our team generated detailed reports on all the flaws we identified, and assisted the company’s engineers in systematically mitigating each one. In doing so, we ensured only secure container images would be included in their container repository.

Automation is the future

“We have been working with the we45 team for the past 5 years between 2 companies,” said Dev Pathi, Head of Technology at Credit Saison. “Their approach to security is a carefully calculated one along with the execution approach. Their team of expert and articulate consultants provide a holistic 360-degree approach to security and push us to think about it right from development to deployment. The empowerment from working with we45 has us thinking of security as a proactive process rather than a passive reactive one.”

we45 is currently working with Credit Saison to introduce automation where it matters most: in the cloud and application security assessment process. We’re also building a custom attack library mapped to attack vectors that we outlined in our Threat Models.

The results generated will be pushed into Orchestron, we45’s own Application Vulnerability Correlation (AVC) platform for automatic vulnerability management. By optimising their framework, we’re actively enabling developers to fix bugs faster and deploy securely on each release.

With we45’s involvement, the company now has the confidence not just to offer their clients a cutting edge tech stack for their apps—but equally as important—they can confidently assure of industry-leading security standards that was simply not possible before.

Want to fire up your security automation engines but can’t find the button?