SECURITY
FRAMEWORK

SECURITY FRAMEWORK

No one would leave home in the morning with their doors & windows unlocked, so why do organisations potentially do that with their technology? Trust is not a substitution for security

Our security framework provides complete protection across the SDLC, utilising open source & commercial tooling in order to de-risk your product deployments. It incorporates:

Static Application Security Testing (SAST)

  • SAST tools scan raw source code, for coding errors & flaws which could lead to exploitable vulnerabilities 
  • SAST tools can also be used to standardise code writing & can work in the developers interactive development environment (IDE) providing instant feedback
  • SAST tools are primarily used during the code, build, & test phases of the software development life cycle (SDLC)

Software Composition Analysis (SCA)

  • SCA tools scan open-source & third-party components for known vulnerabilities. They also provide insight into security & license risks to accelerate prioritisation & remediation efforts
  • SCA tools are primarily used during the build & test phases of the SDLC

Automated Testing

  • Automating application testing is vital for interactive application security testing (IAST) & dynamic application security testing (DAST) products to fully analyse the application before production deployment. If the application is not fully analysed, application vulnerabilities & testing backdoors can be missed, exposing the application & user data
  • Automated testing is primarily used during the test phase of the SDLC

Tool Reporting Consolidation

  • Using multiple tools can create a product backlog nightmare, with several different consoles holding different data & even requiring manual intervention to send to a single ticketing system
  • It’s important to remember this & develop a way to consolidate the defect findings from SAST, SCA, IAST, automated testing & DAST for application & product owners to understand & prioritise remedial actions

Continuous Integration/Continuous Deployment (CI/CD) Pipelines

  • CI/CD is a method to constantly build, test & deliver apps by automation within the SDLC. With consistency in the integration process, teams can commit code changes more rapidly, leading to better coding quality & a reduction in application release

Runtime Application Security Protection (RASP)

  • RASP tools operate within the application runtime engine & act as intrusion detection (IDS) or intrusion protection (IPS)
  • RASP can detect, alert & block advanced persistent threats (APT), which some web application firewalls (WAF) can miss
  • RASP tools are primarily used during the operate & monitor phases of the SDLC

Dynamic Application Security Testing (DAST)

  • DAST tools scan the application from the outside by crawling your web application or API for known web vulnerabilities
  • The application is scanned over a network connection & can examine the network & client-side
  • DAST tools can use Selenium scripts to interact with your website or service & find vulnerabilities
  • DAST tools are primarily used during the test & operate phases of the SDLC

Self Security Governance Framework

  • Rather than the security team being included in every application release, the security team can provide a framework, covering the use of tools such as SAST, SCA, DAST, IAST & vulnerability remediation metrics
  • A self-security governance framework can enable speedy & secure application releases
  • The security team can use centralised reporting, to showing a continuous assessment of current application vulnerabilities

Interactive Application Security Testing (IAST)

  • IAST tools operate in the application runtime & analyse application behaviour based on manual or automated tests
  • IAST tools detect vulnerabilities at runtime & provide detailed insight for developers. By highlighting the library or function, & line of code where the issue occurred. This enables developers to focus their time & effort on critical findings
  • IAST tools are primarily used during the code & test phases of the SDLC

 

Get in touch via transformation.frameworks@sqa-consulting.com for more information.

Protecting your technology, reputation & purse strings.

TRANSFORMATION TESTIMONIALS

LATEST

TRANSFORMATION NEWS

As we adjust to a post-COVID work climate, companies are facing increasing difficulty in acquiring all manner of technology and product engineering resources. Remote
Read more...
The number of organisations migrating from on-premise data centres to the cloud is accelerating at a rapid pace; this has grown significantly during the last 12
Read more...
Introducing SQA Consulting’s Innovation Radar, our research framework that allows us to plot the capability footprint of technology platforms. With this framework, we assess
Read more...

Get In Touch

Technology Consulting Partners