Problem Description:
Edmodo had a growing set of submissions from their bug bounty program and not enough bandwidth to process them. Developers also needed guidance in secure coding practices as security bugs due to insecure code was an issue.
Solutions Highlights:
With a large set of bugs to process, we began by organizing and prioritizing the existing security bugs based on severity and business needs. We then proceeded to review the security bugs to verify them using tools like Burpsuite and nmap. Valid security bugs were documented and assigned to Edmodo team members to be addressed. For some security bugs, we submitted code fixes and security enhancements, then tested and verified them in QA and Production environments. We produced security training material and held training sessions for developers to provide guidance on secure coding practices for Ruby on Rails and ReactJS. The topics covered common OWASP categories and findings from bug reviews. We also performed penetration tests on the Edmodo web and Android mobile application.and produced findings.
Preparing for potential security incidents and risks is a crucial part of building a mature security ecosystem. Security incidents can have serious material and reputational impact. Effectively designed and documented security standards can mitigate these risks and provide a consistent process to respond to incidents quickly. Depending on the industry, many companies and organizations are subject to audit to verify established, documented, and complied with security standards.
Establishing such documentation can be complicated and requires broad collaboration. We began by conducting a comprehensive review of existing security documentation for the company. After which, we collaborated with technical leadership to integrate a security documentation process to their Secure Development Lifecycle Process (SDLC) process. Engagement with teams and attending scrum meetings was beneficial for staying aware of current and upcoming features and designs that impact security. We collaborated to produce security standards and documentation for the company. These documents include, but are not limited to Security Risk Assessments and Product Requirement Documents.