SECURITY
FRAMEWORK

SECURITY FRAMEWORK

No one would leave home in the morning with their doors & windows unlocked, so why do organisations potentially do that with their technology? Trust is not a substitution for security

Our security framework provides complete protection across the SDLC, utilising open source & commercial tooling in order to de-risk your product deployments. It incorporates:

Static Application Security Testing (SAST)

  • SAST tools scan raw source code, for coding errors & flaws which could lead to exploitable vulnerabilities 
  • SAST tools can also be used to standardise code writing & can work in the developers interactive development environment (IDE) providing instant feedback
  • SAST tools are primarily used during the code, build, & test phases of the software development life cycle (SDLC)

Software Composition Analysis (SCA)

  • SCA tools scan open-source & third-party components for known vulnerabilities. They also provide insight into security & license risks to accelerate prioritisation & remediation efforts
  • SCA tools are primarily used during the build & test phases of the SDLC

Automated Testing

  • Automating application testing is vital for interactive application security testing (IAST) & dynamic application security testing (DAST) products to fully analyse the application before production deployment. If the application is not fully analysed, application vulnerabilities & testing backdoors can be missed, exposing the application & user data
  • Automated testing is primarily used during the test phase of the SDLC

Tool Reporting Consolidation

  • Using multiple tools can create a product backlog nightmare, with several different consoles holding different data & even requiring manual intervention to send to a single ticketing system
  • It’s important to remember this & develop a way to consolidate the defect findings from SAST, SCA, IAST, automated testing & DAST for application & product owners to understand & prioritise remedial actions

Continuous Integration/Continuous Deployment (CI/CD) Pipelines

  • CI/CD is a method to constantly build, test & deliver apps by automation within the SDLC. With consistency in the integration process, teams can commit code changes more rapidly, leading to better coding quality & a reduction in application release

Runtime Application Security Protection (RASP)

  • RASP tools operate within the application runtime engine & act as intrusion detection (IDS) or intrusion protection (IPS)
  • RASP can detect, alert & block advanced persistent threats (APT), which some web application firewalls (WAF) can miss
  • RASP tools are primarily used during the operate & monitor phases of the SDLC

Dynamic Application Security Testing (DAST)

  • DAST tools scan the application from the outside by crawling your web application or API for known web vulnerabilities
  • The application is scanned over a network connection & can examine the network & client-side
  • DAST tools can use Selenium scripts to interact with your website or service & find vulnerabilities
  • DAST tools are primarily used during the test & operate phases of the SDLC

Self Security Governance Framework

  • Rather than the security team being included in every application release, the security team can provide a framework, covering the use of tools such as SAST, SCA, DAST, IAST & vulnerability remediation metrics
  • A self-security governance framework can enable speedy & secure application releases
  • The security team can use centralised reporting, to showing a continuous assessment of current application vulnerabilities

Interactive Application Security Testing (IAST)

  • IAST tools operate in the application runtime & analyse application behaviour based on manual or automated tests
  • IAST tools detect vulnerabilities at runtime & provide detailed insight for developers. By highlighting the library or function, & line of code where the issue occurred. This enables developers to focus their time & effort on critical findings
  • IAST tools are primarily used during the code & test phases of the SDLC

 

Get in touch via transformation.frameworks@sqa-consulting.com for more information.

Protecting your technology, reputation & purse strings.

TRANSFORMATION TESTIMONIALS

LATEST

TRANSFORMATION NEWS

At first glance, it’s easy to pigeonhole us as mere providers of technical expertise & warm bodies. While this is undoubtedly one small facet
Read more...
Like most consulting companies, we are continuously looking to acquire new clients. We have delivery teams in 8 Geographical regions worldwide, that stated we
Read more...
The Penny Rich Pound Poor Paradox While the initial savings may look enticing, the concealed costs of this approach begin to emerge over time. 
Read more...

Get In Touch

Technology Consulting Partners