By coaching your teams T&VS can provide them with the knowledge they require to start incorporating security throughout the project life-cycle and focus on delivering applications that do what you want them to, while stopping attackers doing what they want to.
The T&VS security coaching solution is tailored to the needs of the individuals in your project teams without disrupting your current development schedules by sending them away on abstract training courses, keeping your teams working productively while they acquire the skills required to Design, Code and Test applications that are resilient to attack.
The Design Problem
Design flaws account for 50% of software security issues (IEEE Centre for Secure Design).
The T&VS Solution
Introduce security coaching for architects, analysts, and project managers. Review and make recommendations with regard to the SDLC process, policies, standards, threat modelling, and design specifications for trust, authentication, access control, validation, cryptography, data, usability, component integration, and maintenance.
- Architect it right from the start.
The Coding Problem
The Massachusetts Institute of Technology Research (MITRE) has identified 700 kinds of software security weakness, yet 60% of developers are not concerned about security. 96% of applications contain vulnerabilities with a median of 14 per application (Cenzic).
The T&VS solution
Introduce secure code and database coaching for technical leads, developers, and DBAs. Review and make recommendations with regard to:
- Static and dynamic scanning for vulnerabilities
- Manual code inspection
- Reviews of technical controls for authentication, authorization, session management, input validation, output encoding, error handling, deployment, patching, and cryptography
- Reviewing code for vulnerabilities (buffer overflows, OS injection, SQL Injection, data validation and protection, cross-site scripting, cross-site request forgery, logging, session integrity, race conditions)
- Database security
- File management
- Memory management
- Reviewing framework-specific issues
- Coding self-aware application sensors.
Ensures your teams are building secure applications.
The Testing Problem
If an organization can’t test for security in the applications it develops, it should be no surprise if those applications contain vulnerabilities that will be found and exploited by malicious persons sooner or later.
The T&VS Solution
Secure testing coaching for test managers and testers. Review and make recommendations for identifying security test requirements, including:
- Information gathering
- Analyzing application security
- Testing configuration management
- Testing client-side and server-side controls
- Testing authentication
- Testing session management
- Testing logic flaws
- Testing access controls
- Testing input vulnerabilities
- Testing function-specific vulnerabilities
- Testing shared hosting vulnerabilities
- Testing application server vulnerabilities
- Testing DOM-based attacks
- Validating local privacy
- Testing SSL ciphers
- Testing same-origin configuration
- Testing information leakage
- Security testing tools
- Using fuzzing
- Understanding perimeter defences
- Penetration testing
- Identification of security tests that can be done in-house and directing specialist testing of those which cannot (yet).
- Demonstrates your applications are secure.