Security Dashboard — Part 1
Hello! We’re back! Hope we didn’t make you wait too long for our updates! :)
So in our previous post, we briefly mentioned Merlin’s core duties:
- Conduct monthly security scan and manual secure code review (CR)
- Perform quarterly internal penetration testing (PT)
- Organise monthly security review with the product teams
All findings from both internal and external security scans/testing are stored in our own database. The purpose is for us to gather and compare results from all DCube product teams and gets some insights such as:
- What DCube’s security health (in general) is like
- How each product team is progressing (are they getting better each month?)
- What are the common libraries used and vulnerabilities faced across all teams, and the solution(s) to resolve the vulnerabilities
- What the common (security) gaps are and how to close them
To achieve whatever mentioned above, Merlin has come up with our own security dashboards!
Er… Actually we only design the database schema, upload the data into the database, and write database scripts to pull data lah; Grafana did most of the work. Haha!
We’ve come up with a few dashboards to cater for different groups of audience. Let’s take a look one of the dashboards Merlin has (the rest of the dashboards will be mentioned and explained more in-depth in the next few upcoming posts)! #excited
Disclaimer:
All information in the charts has been sanitised due to data sensitivity and confidentiality. Also, whatever dashboard you’re seeing isn’t finalised; we’re constantly improving on it!
Overview Security Posture of DCube products
Did you notice this dashboard around Hive’s level 8 dry pantry area?
If your answer is no, you probably need to start looking around your surrounding! >__<
Anyway, the purpose of this dashboard is to let everyone (the management and the product team) in DCube to see how every products’ security health statuses are like; it acts like a constant reminder to all and hopefully it makes people panic when they see a raise in the trendline chart! =P
Continue reading to understand more about each segment of the dashboard!
Note: We’ve sliced the above dashboard into segments so that you don’t have to scroll up and down!
(1): Security Posture of DCube products
The trendline shows the combined amount of security vulnerabilities found in both penetration testing (PT) and secure code review (CR) for all DCube products on a monthly basis.
We do notice that there will always be an increase in the number of vulnerabilities each time we on-board a new product team. But that’s alright. We all make mistakes… What matters is we learn from one another and progress together as one! :)
(2): Top 10 most common vulnerabilities found in secure manual code review
Our secure manual code review includes identifying any bad coding practices, potential security loopholes due to system design or business requirements, and also ensuring the products are IM8 compliant.
(3) & (4): Top 10 most common vulnerabilities and libraries found in code scan
Our automated code scan currently only includes the scanning of the open-source libraries/dependencies. Well, we’re still in the midst of looking for good code scan tools for the kind of framework we’re using. If you’ve any recommendation, please speak to anyone in Merlin. Thanks in advance! ❤
(5): The Meantime-to-Mitigate values (in days) for PT and CR
This gives us an insight of the average duration the product teams take to resolve all the security vulnerabilities found in both PT and in secure CR. The lesser the number of days taken to resolve, the better it is! Besides, it also shows how mature the product teams are in terms of security knowledge.
(6): #magicNuggets
One of Merlin’s initiatives is to provide best-practice tips to everyone, be it developers, quality engineers, and the UI/UX designers! Tips such as preventing apps from installing and being used in rooted devices, trading usability for beauty is a risky thing to do, and some other testing tips will be shared on a weekly basis. Well, sharing is caring right?
Coming up with data-driven dashboards have definitely helped Merlin gain lots of insights, like what are the common vulnerable open-source libraries used across all the product teams and common mistakes made…
Alrighttttttt! We shall end first dashboard post here! We’ll be looking at the overview dashboards for both penetration testing and secure code review in our next post. So do look out for it!
If you have any questions or you’re curious about our security dashboard, please leave your comments below or if you’re in our office, feel free to speak to anyone from Merlin! #dontSayBojio
- Merlin
