CRED, a fintech company and BSIMM member since early 2022, underwent a BSIMM assessment to benchmark their security processes.
CRED, launched in 2018, provides financial services and lifestyle features, and has been a member of the BSIMM community since early 2022. CRED provides a wide variety of product offerings from lifestyle to personal finance. It has a strong ethos of upholding and meeting client’s demands, and the #SecurityFirst culture at CRED has been ingrained into its culture from its start.
The security team at CRED strongly believes in building a great team of engineers and in the importance of establishing a strong information security presence. The team is involved in research and development of CRED’s ever-growing security ecosystem. CRED’s security culture includes:
Advanced learning sessions: Each week, team members conduct research into emerging security flaws and lead educational sessions for the security team. These sessions include a deep dive into new security vulnerabilities, how they can be exploited, their mitigations, and a capture-the-flag challenge for team members to fully understand the vulnerability.
CRED’s fast-paced software development cycles regularly undergo rigorous security reviews, with, for example, more than 350 internal microservices updated multiple times a day, changes that are deployed in several iterations (during release cycles), and mobile applications that are thoroughly tested before shipping. Furthermore, as part of the vulnerability management process, weekly, quarterly, and annual vulnerability assessments and penetration testing (VAPT) activities are scheduled.
The security team has also deployed automations that integrate and aid the overall security review process. Patronus and Adhrit, two of such automations, are available as open source to the security community. These automations helped CRED reduce the time needed to complete the security review process overall. Given all this, the company wanted to benchmark its current security posture to see how it ranked against other companies.
CRED opted to undergo a BSIMM assessment to identify, and if necessary, correct any maturity gaps before proceeding with further growth. Although only three years old, CRED’s security posture approaches that of more mature organizations.
CRED’s BSIMM assessment helped it identify areas of potential growth and gain deep insights about industry benchmarks as well as maturity gaps in its internal processes. Figure 1 shows CRED’s current posture, measured against multiple disciplines of security and compared with other organizations that have undergone BSIMM assessments.
Figure 1: CRED compared to other BSIMM assessments
As part of CRED’s BSIMM assessment, assessors met with multiple CRED stakeholders from a variety of teams to better understand CRED’s working processes. From the discussions that took place during the assessment, it became clear that software release cycles go hand-in-hand with thorough security review processes. CRED’s #SecurityFirst culture keeps the overall security posture maturing and growing.
“CRED’s BSIMM assessment was performed in a meticulous manner with certified assessors, subject matter experts with years of expertise. The assessment helped CRED accomplish its objectives of assessing, identifying room for improvement, and benchmarking itself against maturity models adopted by organizations across the globe. The BSIMM assessment results were clear in its discoveries, including all aspects of the executive summary, ingrained technical details, and well-defined metrics.”
—CRED Security Team