Application Security Maturity Program

Gap Analysis - To start investing in application security, it’s necessary to keep in mind what is done to the company, and what are the goals to be achieved. For better results, a complete application vulnerability assessment will be provided for a customized analysis of security practices and potential risks to the company’s digital assets.

Education - When the company already has an AppSec initiative, it is recommended to establish a training program to the stakeholders. To a continuous application security approach a customized educational program is necessary.

OpenSAMM - The OWASP OpenSAMM is a framework for secure development lifecycle that structures the practices, and suggests a maturity level. This framework is used to make diagnosys and evaluate the development process of the company and set a action plan.

Methodology Control

Secure Software

Deploy Management

Threat Modeling - By means of a specialized analysis and specific tools is possible to identify potential risks connected to the software being developed/maintained, providing security requirements to be implemented throughout the software development.

Security Requirements - Establish a minimum level of security according to the application risk based on  mainstream methodologies such as the OWASP ASVS

Security Architecture - analyse and revise the security architecture of your application and the technological environment it supports, recommending models mitigating the risks linked to the software.

SDL - Implement a secure software development process based on application security best practices.

Security Testing

Code Review - Is the security source-code analysis searching for vulnerabilities that can be fixed prior to a software launch, reducing  risk exposure significantly. Code Review presupposes human perspectives to analyse and understand business logic to find flaws that are not visible on the surface.

SAST/DAST/IAST - Application Security Testing  are  automated analysis performed by specialized tools.
SAST - Static Application Security Testing is the scanning to verify vulnerabilities on the source-code.
DAST - Dynamic Application Security Testing is the searching for vulnerabilities on running applications, simulating methods of known attacks.
IAST - Interactive Application Security Testing is a security analysis performed manually, where pentesters will emulate the behavior of an attacker, looking for areas to be explored allowing data breaches or information leak.

Penetration Testing - Is a security analysis performed manually where pentesters will emulate the behavior of an attacker looking for breaches to be explored, allowing unauthorized access of sensible data.

Analysis Management

Vulnerabilities Management

Vulnerability Management

Remediation Workflow - Many security leaders have trouble tracking  vulnerability remediation.  The most appropriate method to implement remediation workflow is controlling vulnerabilities status, follow up executions, revalidate  applications, administrate risks, share information and keep all stakeholders informed.

Vulnerabilities Scanning - For a scalable process to identify network vulnerabilities, tools and professional services are provided to perform automated  security analysis.

WAF - For a deeper defensive strategy or Virtual Patching it is recommended to setup a web application firewall (WAF). The secret to a successful strategy is a balanced tuning to block malicious traffic without disturbing the access for legitimate user.