Risk and Vulnerability Analyses at The Norwegian Directorate of Agriculture

twoday has delivered two risk and vulnerability analyses at a technical level for two different delivery teams at the Norwegian Directorate of Agriculture (Landbruksdirektoratet, LDIR).

 

Both are performed with NIST SP800-39 RMF (Risk Management Framework). Threat modelling, technical interviews with developers, code analysis and a simple security test were carried out using well-known tools such as Burp Suite, Nmap, Wireshark, SQLmap and so on.

Flexible security in deliveries

twoday has run several delivery teams at LDIR that have used elements from development methodologies such as DevSecOps and SDL (Microsoft Secure Development Lifecycle). This has involved roles and responsibility descriptions, threat modelling, risk and vulnerability analyses, handling of third-party libraries and frameworks, input validation and security testing.

The development teams are run by a Security Champion who ensures that development takes care of security and privacy as the Danish Data Protection Authority's "Software development with built-in privacy" and GDPR recommend and require. There has been a strong focus on control of third-party libraries and frameworks (software supply chain) and Input Validation.

To menn og en dame står og prater sammen

Security Consultancy

twoday has also assisted LDIR with advice in connection with Landbruks- og matCERT. Here, a guide was developed for how LDIR could conduct secure communication with external whistleblowers, internally between everyone subject to Landbruks- and foodCERT and with NorCERT. Secure routines for encrypted email exchange, encrypted document sharing, encrypted phone calls and video calls.

Results

  • Made visible areas where there is a need for increased security
  • Threat modelling and vulnerability analysis of solutions on traditional infrastructure
  • Threat modelling and vulnerability analysis of solutions on cloud-based infrastructure
  • Delivered implementation guides for secure (encrypted) communication
  • Performed security test with recognized methodologies and tools
  • Performed security code analysis