Skip to content

Risk and Vulnerability Analyses at The Norwegian Directorate of Agriculture

twoday assisted the agency with efforts to strengthen the security of their infrastructure and communications. 

The Challenge

The Norwegian Directorate of Agriculture (Landbruksdirektoratet, LDIR) wanted assistance with risk and vulnerability analyses. twoday worked with two analyses at a technical level for two different delivery teams at LDIR.

 

To menn og en dame står og prater sammen

The Solution

Both analyses are performed with NIST SP800-39 RMF (Risk Management Framework). Threat modelling, technical interviews with developers, code analysis and a simple security test were carried out using tools such as Burp Suite, Nmap, Wireshark, and SQLmap.

twoday has run several delivery teams at LDIR that have used elements from development methodologies such as DevSecOps and SDL (Microsoft Secure Development Lifecycle). This has involved roles and responsibility descriptions, threat modelling, risk and vulnerability analyses, handling of third-party libraries and frameworks, input validation and security testing.

The development teams are run by a Security Champion who ensures that development takes care of security and privacy as the Danish Data Protection Authority's "Software development with built-in privacy" and GDPR recommend and require. There has been a strong focus on control of third-party libraries and frameworks (software supply chain) and Input Validation.

twoday has also assisted LDIR with advice in connection with Landbruks- og matCERT. Here, a guide was developed for how LDIR could conduct secure communication with external whistleblowers, internally between everyone subject to Landbruks- and foodCERT and with NorCERT. This also included secure routines for encrypted email exchange, encrypted document sharing, encrypted phone calls and video calls.

The Value

These are some of the main issues twoday helped with: 

  • Made visible areas where there is a need for increased security
  • Threat modelling and vulnerability analysis of solutions on traditional infrastructure
  • Threat modelling and vulnerability analysis of solutions on cloud-based infrastructure
  • Delivered implementation guides for secure (encrypted) communication
  • Performed security test with recognized methodologies and tools
  • Performed security code analysis