Application Security for Small and Medium Businesses
In order to integrate information security into every fiber of your web application development project, we suggest an implementation of our roadmap which is an expanded variant of the OWASP Software Assurance Maturity Model with specific industry best practices regarding application security and DevSecOps. Our roadmap provides high-level guidance that is not organized by priority. In practice, we will always focus on implementing the biggest contribution and effect in the least amount of time.
Our goal is to integrate security in your project and security needs to become everyone’s responsibility and not just the security department’s responsibility. To do that, we suggest developing specific security-focused individuals inside your project. This does not mean that employees will be assigned from development to security, but that we will develop their potential and skillset in order to be security-focused in their day-to-day activities. Ultimately this will directly contribute to their specific, original field of work. This also means that ideal candidates are those who are interested to become more security-focused in their craft, and not simply assigning arbitrarily that responsibility inside the organization. In order to achieve this, we will train your internal staff and in parallel operate as an external information application security support team and provide proof of concept implementations and expertise.
Integrating security is a complex system that requires very disjunct skillsets, and we suggest starting with three roles and three (or more if possible) candidates. The candidates can be recruited inside the current teams if specific members want to be more security-focused, or we can recruit horizontally or vertically from inside the organization. The roles can be filled by employing additional team members with specific skills. This is not mandatory.
The common goal is internal expertise development, in the following specific roles that will cover the areas of:
– Governance and architecture
– Application development
– DevOps and infrastructure
Governance and Architecture
In order to design secure systems, information security needs to be a product design requirement and should be measured and tracked. In order to do that, one role requires a governance specialist in a management role who will lead the application security process and will cover the following domains:
- Lead security design, architecture and requirements definition, and reviews
- Managing the projects information security strategy
- Managing security policies and best practices
- Managing project compliance requirements
- Managing and defining design requirements
- Manage the security operations inside the project
- Defining and tracking specific security metrics
- Performing threat models and risk assessments for specific elements of the system
- Organizing training, education and guidance
- Collaborate in definition and design of secure architecture
- Collaborate in design reviews
Application Development
Secure code is developed by developers who are security conscious and have the required skillset to write secure code. In order to achieve this, all developers need to be trained in secure development practices, but specific developers need to have skills in application security in order to cover the following domains:
- Implement specific application-level mitigations
- Perform security-focused code reviews and application security verification
- Define and verify application security requirements
- Collaborate in definition and design of secure architecture
- Collaborate in design reviews
- Triage specific application security vulnerabilities
SMB Questionnaire
DevSecOps and Infrastructure
In order to improve the security of deployed code and automated infrastructure, integration of SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools in the deployment pipeline prevents developers from shipping code that has vulnerabilities. Also, specific hardening and best practices need to be deployed from hardened templates and infrastructure provisioning methods. DevOps will be enabled with security-specific skills in order to cover the following areas:
- Implement specific infrastructure mitigations
- Operate SAST/DAST tools inside CI/CD processes
- Deploy specific environmental and infrastructure hardening in code or templates
- Perform security reviews of the infrastructure
- Optimize DR/HA processes by deploying infrastructure as code
- Operate the security monitoring solutions inside the infrastructure
- Collaborate in definition and design of secure architecture
- Collaborate in design reviews
In addition to the development of your internal practice, we can assist you as a trusted third-party advisory that will perform the following services inside your organization, while we develop the same capability inside your organization:
Secure Design, Architecture and Threat Modeling
PreCog Team performs secure design, architecture and threat modeling from several perspectives: one is to analyze your internal processes and systems for vulnerabilities or potential issues with the goal of mitigating risk before it can become a problem, and catching problems at the specification or design stage of the project. The second perspective is, we can design an architecture or define a specific set of controls a system needs to be secure by default, in this way, we help you design secure systems before they get developed. The third perspective is that our team serves as a third-party advisory service, analyzing third-party solutions providing vulnerability mitigation and if they are developed according to current industry standards and best practices.