CRED, a FinTech commerce company and BSIMM member since early 2022, underwent a BSIMM assessment to benchmark its security processes.
CRED, a FinTech commerce company launched in 2018, provides its members with a distinguished FinTech experience through elegant financial services and delightful lifestyle features. It has a strong ethos of meeting member demands, and the #SecurityFirst culture at CRED has been ingrained from the inception.
CRED has been a member of the BSIMM community since early 2022. By undergoing a BSIMM assessment, CRED wanted to identify, and if necessary, correct any maturity gaps before proceeding with further growth.
The security team at CRED strongly believes in building a great team of engineers, as well as the importance of establishing a solid information security presence. The team is involved in the research and development of CRED’s ever-growing security ecosystem. CRED’s security team has successfully implemented
CRED’s fast-paced software development cycles regularly undergo rigorous security reviews, with, for example, more than 500 internal microservices updated multiple times a day, changes that are deployed in several iterations (during release cycles), and mobile applications that are thoroughly tested before shipping. Furthermore, weekly, quarterly, and annual vulnerability assessment and penetration testing (VAPT) activities are scheduled as part of the vulnerability management process.
—Himanshu Das, CISO, CRED
The security team has also deployed numerous automations that integrate and aid the overall security review process. Patronus and Adhrit, two such automations, are available as open source to the security community. These automations helped CRED reduce the time needed to complete the overall security review process.
CRED’s security team is only three years old, and its security posture is reaching that of organizations further along in their security journey. The average age of organizations that scored near CRED in the BSIMM assessment is 9.6 years. CRED could be considered one of the industry’s few young companies with this level of maturity.
Figure 1: BSIMM score distribution
CRED’s BSIMM assessment helped its security team identify areas of potential growth and gain deep insights into maturity gaps in its internal processes. Figure 2 shows CRED’s current posture measured against multiple disciplines of security that are used as yardsticks for the BSIMM assessment, compared to an average of organizations that have already been assessed under BSIMM.
Figure 2: CRED compared to the average of other BSIMM assessments
As part of CRED’s BSIMM assessment process, assessors met with multiple CRED stakeholders from different teams, which helped them understand CRED’s working processes. Discussions during the assessment emphasized that software release cycles go hand-in-hand with thorough security review processes. And CRED’s #SecurityFirst culture includes additional activities like security hackathons and advanced learning sessions that keep the overall security posture maturing and growing.
CRED’s BSIMM assessment was performed meticulously with certified assessors and subject matter experts with years of expertise. The assessment and its team helped CRED accomplish its objectives of assessing, identifying room for improvement, and benchmarking itself against maturity models adopted by organizations across the globe. BSIMM assessment results were clear in its discoveries, including all aspects of the executive summary, ingrained technical details, in addition to well-defined metrics.
—CRED Security Team