Our security framework provides complete protection across the SDLC, utilising open source & commercial tooling in order to de-risk your product deployments. It incorporates:
Static Application Security Testing (SAST)
- SAST tools scan raw source code, for coding errors & flaws which could lead to exploitable vulnerabilities
- SAST tools can also be used to standardise code writing & can work in the developers interactive development environment (IDE) providing instant feedback
- SAST tools are primarily used during the code, build, & test phases of the software development life cycle (SDLC)
Software Composition Analysis (SCA)
- SCA tools scan open-source & third-party components for known vulnerabilities. They also provide insight into security & license risks to accelerate prioritisation & remediation efforts
- SCA tools are primarily used during the build & test phases of the SDLC
Automated Testing
- Automating application testing is vital for interactive application security testing (IAST) & dynamic application security testing (DAST) products to fully analyse the application before production deployment. If the application is not fully analysed, application vulnerabilities & testing backdoors can be missed, exposing the application & user data
- Automated testing is primarily used during the test phase of the SDLC
Tool Reporting Consolidation
- Using multiple tools can create a product backlog nightmare, with several different consoles holding different data & even requiring manual intervention to send to a single ticketing system
- It’s important to remember this & develop a way to consolidate the defect findings from SAST, SCA, IAST, automated testing & DAST for application & product owners to understand & prioritise remedial actions
Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- CI/CD is a method to constantly build, test & deliver apps by automation within the SDLC. With consistency in the integration process, teams can commit code changes more rapidly, leading to better coding quality & a reduction in application release
Runtime Application Security Protection (RASP)
- RASP tools operate within the application runtime engine & act as intrusion detection (IDS) or intrusion protection (IPS)
- RASP can detect, alert & block advanced persistent threats (APT), which some web application firewalls (WAF) can miss
- RASP tools are primarily used during the operate & monitor phases of the SDLC
Dynamic Application Security Testing (DAST)
- DAST tools scan the application from the outside by crawling your web application or API for known web vulnerabilities
- The application is scanned over a network connection & can examine the network & client-side
- DAST tools can use Selenium scripts to interact with your website or service & find vulnerabilities
- DAST tools are primarily used during the test & operate phases of the SDLC
Self Security Governance Framework
- Rather than the security team being included in every application release, the security team can provide a framework, covering the use of tools such as SAST, SCA, DAST, IAST & vulnerability remediation metrics
- A self-security governance framework can enable speedy & secure application releases
- The security team can use centralised reporting, to showing a continuous assessment of current application vulnerabilities
Interactive Application Security Testing (IAST)
- IAST tools operate in the application runtime & analyse application behaviour based on manual or automated tests
- IAST tools detect vulnerabilities at runtime & provide detailed insight for developers. By highlighting the library or function, & line of code where the issue occurred. This enables developers to focus their time & effort on critical findings
- IAST tools are primarily used during the code & test phases of the SDLC
Get in touch via transformation.frameworks@sqa-consulting.com for more information.