DevSecOps Service for Airport Operations Management Platform

INPUT SOFT owns a web & mobile platform that helps aviation companies put legacy and paper-based processes on digital rails. As a fast-growing startup, they wanted to build security excellence early on and engaged our team to ensure their product complies with the best practices.

We analyzed the Client’s requirements and, based on their business context, suggested the DevSecOps approach as an optimal way to cover their security needs. This allowed us to identify issues down to their source and help the Client lay a solid foundation for long-term security. INPUT SOFT loved the plan, so as a part of the approach, we:

• Conducted a two-round security code audit to detect vulnerabilities in source code and external system components
• Document all the findings and break down issues by severity in a detailed security audit report
• Provided general security recommendations and actionable suggestions on remediation steps

As the INPUT SOFT platform is a constantly evolving product, we knew the traditional ways for security inspection, like audits or pen-testing, might be unnecessary time- and cost-consuming in their case. Thus, we opted to perform a security code audit, combining DevSecOps principles and tools to maximize the efficiency of the assessment.

Since the audit involved activities on different layers, we created a phased roadmap. It helped us streamline the overall process and ensure that no vulnerability remained unmarked. The key phases of the security code audit included:

• Static Application Security Testing (SAST) to identify vulnerabilities in code and mitigate risks early in the development process
• Software Composition Analysis (SCA) to inspect external components and dependencies and ensure they are secure, up-to-date, and comply with regulatory requirements
• Codebase secrets detection to safeguard that no sensitive data like passwords or API keys can be exposed

DevSecOps approach emphasizes continuous monitoring of the security framework, so we’ve planned the reassessment phase from the outset. Thus, once the first audit round was finished, we provided the Client with recommendations on improving security practices and remediation steps to help fix revealed vulnerabilities.

INPUT SOFT wasted no time and quickly moved to addressing the issues. It included updating 3rd-party dependencies and implementing secure coding mechanisms. As a result, our second round of security code audit showed that the Client eliminated the critical flaws, according to our suggestions that included:

• Prevention of OS Command Injection to ensure no unauthorized system commands could be executed
• Removal of Hard-coded credentials to mitigate password exposure
• Correction of permissions assignment to safeguard proper access controls
• Mitigation of SQL Injection risks to secure database queries from attacks
• Restriction of Cross-Site Request Forgery (CSRF) to block unauthorized actions