IT homework – software review methodology

Challenge:Blue Jean ChallengeOur customers often ask us to evaluate the security of commercial and open source tools. These requests come from all parts of our customers’ organizations, and include everything from engineers that are hoping to install software to make development easier, to marketing teams looking to install collaborative design software to design new campaigns, all the way to proposals for company-wide integration with third-party SaaS platforms to help with onboarding and offboarding. Our role is to identify security risks that might be introduced by this new software and help our customers decide if the risk is acceptable.For this exercise, the CTO of Tacolara has tasked you with evaluating Bluejeans ( for video conferencing. They want to use Bluejeans for both internal meetings and interactions with their customers. Your job is to come up with a software review methodology and apply it to the Bluejeans Desktop application to identify risks. As with the browser extension exercise, your methodology should test for data handling issues as well as issues in the Bluejeans application itself: things like exposed ports in the application and insecure communication with the Bluejeans site are all in scope. We’re not looking for an end-to-end exploit against the Bluejeans Desktop application, but your methodology should be able to quickly identify areas of potential concern and bad smells that might be a sign of deeper security issues.You’re welcome to use whatever tools make it easy to perform your assessment, and should document both the methodology and results of the review.2. The Second Challenge is the Chrome Extension Challenge:Chrome Extension Challenge:Here at Latacora, we’re frequently asked by our customers “is it safe to install this Chrome Extension?”Chrome Extensions sit in the browser with an array of permissions that could give them access to the DOM, capture audio, or exfiltrate sensitive client data off to the Isle of Mypos. As such, browser extensions are an area of rapidly growing concern, and we have to evaluate them carefully, giving careful consideration to the business purpose, before giving the green light.For this challenge we would like for you to1. Create a methodology for evaluating the security of a Chrome Extension. This methodology should – Identify the use case of the extension. – Analyse the scopes and permissions requested from the browser by the extension and describe any concerns you have with them. – Outline any data handling concerns with the extension. Is the data it has access to appropriate and safe? – Analyse the extension for technical issues. Are there any concerns with the code or its dependencies? – Document any open source or online tools you used as part of your evaluation. – Perform due diligence on the vendor’s security posture. – Identify any additional components of the extension, such as a service account that might have privacy concerns. – Come up with a reporting format that can serve as the output to a client.2. Apply this methodology to analyze the Grammarly browser extension for the Tacolara LLC client. – Ask us any questions you’d want to ask as part of your methodology, and, wearing our Tacolara hat, we’ll answer them. – Submit your documented appraisal, including a summary of any caveats that might make a “Yes” in to a “No”, or vice versa