SECURITY
FRAMEWORK

SECURITY FRAMEWORK

No one would leave home in the morning with their doors & windows unlocked, so why do organisations potentially do that with their technology? Trust is not a substitution for security

Our security framework provides complete protection across the SDLC, utilising open source & commercial tooling in order to de-risk your product deployments. It incorporates:

Static Application Security Testing (SAST)

  • SAST tools scan raw source code, for coding errors & flaws which could lead to exploitable vulnerabilities 
  • SAST tools can also be used to standardise code writing & can work in the developers interactive development environment (IDE) providing instant feedback
  • SAST tools are primarily used during the code, build, & test phases of the software development life cycle (SDLC)

Software Composition Analysis (SCA)

  • SCA tools scan open-source & third-party components for known vulnerabilities. They also provide insight into security & license risks to accelerate prioritisation & remediation efforts
  • SCA tools are primarily used during the build & test phases of the SDLC

Automated Testing

  • Automating application testing is vital for interactive application security testing (IAST) & dynamic application security testing (DAST) products to fully analyse the application before production deployment. If the application is not fully analysed, application vulnerabilities & testing backdoors can be missed, exposing the application & user data
  • Automated testing is primarily used during the test phase of the SDLC

Tool Reporting Consolidation

  • Using multiple tools can create a product backlog nightmare, with several different consoles holding different data & even requiring manual intervention to send to a single ticketing system
  • It’s important to remember this & develop a way to consolidate the defect findings from SAST, SCA, IAST, automated testing & DAST for application & product owners to understand & prioritise remedial actions

Continuous Integration/Continuous Deployment (CI/CD) Pipelines

  • CI/CD is a method to constantly build, test & deliver apps by automation within the SDLC. With consistency in the integration process, teams can commit code changes more rapidly, leading to better coding quality & a reduction in application release

Runtime Application Security Protection (RASP)

  • RASP tools operate within the application runtime engine & act as intrusion detection (IDS) or intrusion protection (IPS)
  • RASP can detect, alert & block advanced persistent threats (APT), which some web application firewalls (WAF) can miss
  • RASP tools are primarily used during the operate & monitor phases of the SDLC

Dynamic Application Security Testing (DAST)

  • DAST tools scan the application from the outside by crawling your web application or API for known web vulnerabilities
  • The application is scanned over a network connection & can examine the network & client-side
  • DAST tools can use Selenium scripts to interact with your website or service & find vulnerabilities
  • DAST tools are primarily used during the test & operate phases of the SDLC

Self Security Governance Framework

  • Rather than the security team being included in every application release, the security team can provide a framework, covering the use of tools such as SAST, SCA, DAST, IAST & vulnerability remediation metrics
  • A self-security governance framework can enable speedy & secure application releases
  • The security team can use centralised reporting, to showing a continuous assessment of current application vulnerabilities

Interactive Application Security Testing (IAST)

  • IAST tools operate in the application runtime & analyse application behaviour based on manual or automated tests
  • IAST tools detect vulnerabilities at runtime & provide detailed insight for developers. By highlighting the library or function, & line of code where the issue occurred. This enables developers to focus their time & effort on critical findings
  • IAST tools are primarily used during the code & test phases of the SDLC

 

Get in touch via transformation.frameworks@sqa-consulting.com for more information.

Protecting your technology, reputation & purse strings.

TRANSFORMATION TESTIMONIALS

LATEST

TRANSFORMATION NEWS

Governance – a topic that likely strikes mild concern, or at best vague interest in the hearts and minds of most managers. Does it
Read more...
As we adjust to a post-COVID work climate, companies are facing increasing difficulty in acquiring all manner of technology and product engineering resources. Remote
Read more...
The number of organisations migrating from on-premise data centres to the cloud is accelerating at a rapid pace; this has grown significantly during the last 12
Read more...

Get In Touch

Technology Consulting Partners