Contents

SafetyToolbox are a consultancy that provides health and safety services, including SafetyToolbox Online, their flagship software system that is designed to be easy to use and to make a big difference to the way customers view health and safety management and reporting.

Shutting Security Gaps Before Launch

Prior to going live, the SafetyToolbox Online development team wanted to ensure that the system met AWS and industry security best practices. They did not have a dedicated security professional within their team, so they engaged Hydras, part of the Acora Group, to perform a security review of their AWS infrastructure. The aim was to highlight any potential security gaps, ordered by priority, so that the team could work on closing these before releasing the system.

Uncovering Gaps and Building Resilience

Hydras security consultants performed a deep-dive security architecture review on the environment. Firstly, they started the ‘discovery’ phase. The aim of this phase was to document the ‘as-is’ state of the SafetyToolbox environment. Hydras consultants worked with the SafetyToolbox team to understand their current technical architecture, security personnel plus any security policies, procedures, standards and processes. In addition, the consultants documented and ranked assets (such as data), which would help prioritise the remediation of any security gaps that were raised in later stages.

Next, the Hydras team started the ‘review’ phase. The aim of this phase was to identify any security gaps between the as-is environment and the target best practices, whilst identifying any potential vulnerabilities. During this phase, they reviewed the security of the as-is environment via a mixture of discussion and automated tooling. Firstly, an AWS well-architected review was performed, and then automated tooling was run, which scanned the current environment against AWS and CIS best practices. Finally, Hydras consultants performed a security deep dive on each AWS component used within the system design.

Finally, the Hydras team conducted the ‘reporting’ phase. Here, the consultants conducted a risk review against each of the security gaps and vulnerabilities highlighted, taking into account the previously ranked assets. Based on this, risks were documented in order of criticality along with suggested remediations. Hydras also documented a proposed “to-be” (target) architecture, which included the required changes to the current environment to close the most critical risks. This allowed the SafetyToolbox team to evaluate the risks and make the proposed changes to their environment in a prioritised order.

As part of a separate stream of work, the Hydras team worked with the SafetyToolbox developers to make the recommended changes.

Stronger Security, Smooth Release

The SafetyToolbox team were able to successfully update their AWS environment, reducing their security risk and increasing their security posture with the help of Hydras security consultants. This gave the development team the confidence to go ahead with the release of SafetyToolbox Online within their desired timescales.

Related Case Studies