SECURITY
FRAMEWORK

SECURITY FRAMEWORK

No one would leave home in the morning with their doors & windows unlocked, so why do organisations potentially do that with their technology? Trust is not a substitution for security

Our security framework provides complete protection across the SDLC, utilising open source & commercial tooling in order to de-risk your product deployments. It incorporates:

Static Application Security Testing (SAST)

  • SAST tools scan raw source code, for coding errors & flaws which could lead to exploitable vulnerabilities. 
  • SAST tools can also be used to standardise code writing & can work in the developers interactive development environment (IDE) providing instant feedback.
  • SAST tools are primarily used during the code, build, & test phases of the software development life cycle (SDLC).

Software Composition Analysis (SCA)

  • SCA tools scan open-source & third-party components for known vulnerabilities. They also provide insight into security & license risks to accelerate prioritisation & remediation efforts.
  • SCA tools are primarily used during the build & test phases of the SDLC.

Automated Testing

  • Automating application testing is vital for interactive application security testing (IAST) & dynamic application security testing (DAST) products to fully analyse the application before production deployment. If the application is not fully analysed, application vulnerabilities & testing backdoors can be missed, exposing the application & user data.
  • Automated testing is primarily used during the test phase of the SDLC.

Tool Reporting Consolidation

  • Using multiple tools can create a product backlog nightmare, with several different consoles holding different data & even requiring manual intervention to send to a single ticketing system.
  • It’s important to remember this & develop a way to consolidate the defect findings from SAST, SCA, IAST, automated testing & DAST for application & product owners to understand & prioritise remedial actions.

Continuous Integration/Continuous Deployment (CI/CD) Pipelines

  • CI/CD is a method to constantly build, test & deliver apps by automation within the SDLC. With consistency in the integration process, teams can commit code changes more rapidly, leading to better coding quality & a reduction in application release.

Runtime Application Security Protection (RASP)

  • RASP tools operate within the application runtime engine & act as intrusion detection (IDS) or intrusion protection (IPS).
  • RASP can detect, alert & block advanced persistent threats (APT), which some web application firewalls (WAF) can miss.
  • RASP tools are primarily used during the operate & monitor phases of the SDLC.

Dynamic Application Security Testing (DAST)

  • DAST tools scan the application from the outside by crawling your web application or API for known web vulnerabilities. 
  • The application is scanned over a network connection & can examine the network & client-side.
  • DAST tools can use Selenium scripts to interact with your website or service & find vulnerabilities.
  • DAST tools are primarily used during the test & operate phases of the SDLC.

Self Security Governance Framework

  • Rather than the security team being included in every application release, the security team can provide a framework, covering the use of tools such as SAST, SCA, DAST, IAST & vulnerability remediation metrics.
  • A self-security governance framework can enable speedy & secure application releases.
  • The security team can use centralised reporting, to showing a continuous assessment of current application vulnerabilities.

Interactive Application Security Testing (IAST)

  • IAST tools operate in the application runtime & analyse application behaviour based on manual or automated tests.
  • IAST tools detect vulnerabilities at runtime & provide detailed insight for developers. By highlighting the library or function, & line of code where the issue occurred. This enables developers to focus their time & effort on critical findings. 
  • IAST tools are primarily used during the code & test phases of the SDLC.

 

Get in touch via [email protected] for more information.

around-laptop

Protecting your technology, reputation & purse strings.

TRANSFORMATION TESTIMONIALS

LATEST

TRANSFORMATION NEWS

Ask product backlog users if the backlog works for them & you will invariably receive mixed responses. This is because there is often little
Read more...
Following on from the article A Brief Overview of Performance Code Profiling, other methods that can be used in the development process to improve the
Read more...
One method used in the development process to improve the performance of code is called ‘performance code profiling’, this article will attempt to explain
Read more...

Get In Touch

Technology Consulting Partners