twoday has delivered two risk and vulnerability analyses at a technical level for two different delivery teams at the Norwegian Directorate of Agriculture (Landbruksdirektoratet, LDIR).
Both are performed with NIST SP800-39 RMF (Risk Management Framework). Threat modelling, technical interviews with developers, code analysis and a simple security test were carried out using well-known tools such as Burp Suite, Nmap, Wireshark, SQLmap and so on.
twoday has run several delivery teams at LDIR that have used elements from development methodologies such as DevSecOps and SDL (Microsoft Secure Development Lifecycle). This has involved roles and responsibility descriptions, threat modelling, risk and vulnerability analyses, handling of third-party libraries and frameworks, input validation and security testing.
The development teams are run by a Security Champion who ensures that development takes care of security and privacy as the Danish Data Protection Authority's "Software development with built-in privacy" and GDPR recommend and require. There has been a strong focus on control of third-party libraries and frameworks (software supply chain) and Input Validation.
twoday has also assisted LDIR with advice in connection with Landbruks- og matCERT. Here, a guide was developed for how LDIR could conduct secure communication with external whistleblowers, internally between everyone subject to Landbruks- and foodCERT and with NorCERT. Secure routines for encrypted email exchange, encrypted document sharing, encrypted phone calls and video calls.