The Client

SafetyToolbox are a consultancy that provide heath and safety services including SafetyToolbox Online, their flagship software system that is designed to be easy to use and to make a big difference to the way customers view health and safety management and reporting.

The Problem

Prior to going live the SafetyToolbox Online development team wanted to ensure that the system met AWS and industry security best practices.  They did not have a dedicated security professional within their team so engaged Hydras to perform a security review of their AWS infrastructure.  The aim was to highlight any potential security gaps, ordered by priority so that the team could work on closing these before releasing the system

The Solution

Hydras security consultants performed a deep-dive security architecture review on the environment. Firstly they started the 'discovery' phase. The aim of this phase was to document the 'as-is' state of the SafetyToolbox environment. Hydras consultants worked with the SafetyToolbox team to understand their current technical architecture, security personnel plus any security policies, procedures, standards and processes. In addition the consultants documented and ranked assets (such as data) which would help prioritise the remediation of any security gaps that were raised in later stages.

Next the Hydras team started the 'review' phase. The aim of this phase was to identify any security gaps between the as-is environment and the target best practices whilst identifying any potential vulnerabilities. During this phase they reviewed the security of the as-is environment via a mixture of discussion and automated tooling. Firstly an AWS well architected review was performed and then automated tooling was run which scanned the current environment against AWS and CIS best practices.  Finally Hydras consultants performed a security deep dive on each AWS component used within the system design.

Finally the Hydras team conducted the 'reporting' phase. Here the consultants conducted a risk review against each of the security gaps and vulnerabilities highlighted, taking into account the previously ranked assets.  Based on this, risks were documented in order of criticality along with suggested remediations.  Hydras also documented a proposed "to-be" (target) architecture which included the required changes to the current environment in order to close the most critical risks.  This allowed the SafetyToolbox team to evaluate the risks and make the proposed changes to their environment in a prioritised order.  

As part of a separate stream of work the Hydras team worked with the SafetyToolbox developers to make the recommended changes

The Outcome

The SafetyToolbox team were able to successfully update their AWS environment, reducing their security risk and increasing their security posture through the help of Hydras security consultants.  This gave the development team the confidence to go ahead with the release of SafetyToolbox Online within their desired timescales