Security Architecture and Design
One of the most important phases in the systems development life cycle (SDLC) is the architecture and design phase. During this phase, system specifications are translated into architectural blueprints that can be coded during the coding phase that follows.
Attack surface evaluation using threat models and misuse case modeling, control identification, and prioritization based on risk to the business or mission are all essential software assurance processes.
InterSec has expertise in implementing NIST Special Publication 800-27, “Engineering principles for information technology security” provides various IT security principles to be considered in the design, development, and operation of an information system.
Without properly understood, well-documented, and tracked software requirements, one cannot expect the software to function without failure or to meet expectations. Software development projects that lack security requirements can potentially suffer from the threats to confidentiality, integrity and availability.
Properly defining and documenting Security and Privacy requirements makes the measurement of security objectives or goals once the software is ready for release or accepted for deployment.
Secure coding involves defensive coding techniques and processes, covers code analysis and code protection techniques.
InterSec has helped several clients develop programming language specific secure coding guidelines, best practices, checklists and in some cases integrated secure code assist tools with the developers IDE to develop secure code.
Secure SDLC covers the various people, processes and technology elements of developing software securely throughout the entire lifecycle of an application project.
InterSec has helped organizations implement customized Security and Privacy tasks, activities, RACI matrix and checkpoints throughout their SDLC process to ensure Security is baked into the applications from the ground up.
DevOps refers to the “integration of development, IT operations, security, and quality assurance under a single automated umbrella”. In short, it is a cross-business effort to turn software development on its head with shorter cycle times, faster testing times, more automation – and better and more secure code. DevSecOps is the process of involving information security in all parts of application development.
InterSec has experience integrating static code analysis tools into the Continuous Integration/Continuous Delivery (CI/CD) process to better enhance the secure code delivery process. We have expertise in DevOps tools such as Puppet, Chef, Ansible and CI/CD frameworks and tools such as AWS, Maven, Gradle, Jenkins, GitHub, SonaType Nexus, HP Fortify, IBM AppScan Source, BlackDuck Software, SonarQube, etc.
An application security assessment looks at your application and reports on weaknesses found.
We have developed a commercial and public sector tested vulnerability assessment methodology to carry out a thorough and quality web application security assessment. We are NOT a scan shop. We employ automated and manual techniques to discover security flaws, map them to Common Attack Pattern Enumeration and Classification (CAPEC) and the Common Weakness Enumeration (CWE) to standardize on the security defect classification, document them in a defect tracking system and work with the application development team to remediate them.