A decade of infrastructure and network hardening has pushed hackers up the technology stack to exploit application security vulnerabilities as the easiest entry to your critical business systems. Gartner formulates this as, “Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting”.
However, the IT industry in general has not matured its application security capabilities. Application security is for many vendors and organizations still a secondary concern until a security or data breach in their systems is detected. However, companies can no longer afford this approach as the EU General Data Protection Regulation imposes substantial fines on data leaks of personal information. NNIT is responding to this challenge by launching a Secure Development Life Cycle Coach Service.
"With the increased focus on security, the evolving threat landscape, and the risk of substantial fines in the event of a data breach, having a secure development life cycle or DevSecOps approach that promotes security from requirement to retirement is a must."
Secure Development Life Cycle Coach Service
The purpose of the Secure Development Lifecycle Coach Service is to guide your company through the implementation of current best practices in secure software development in order to protect your business from the consequences of a data breach.
The service is tailored for companies with in-house IT development teams that are challenged by the increasing security and privacy demands imposed by the evolving threat landscape and the EU General Data Protection Regulation.
The goal of the service is to increase the security and privacy assurance level of software developed by IT development teams, by adding security and privacy best practices to the existing in-house software development process. Therefore, the aim is not to replace the existing processes, but to extend and enhance. For DevOps teams that means making security a centerpiece in your approach to create DevSecOps.
The service uses a risk-based approach in order to balance cost versus benefit during implementation of the secure development life cycle.
Key Activities
The following sections describe the key activities in the Secure Development Life Cycle Coach Service. However, the service can be tailored to meet your business needs.
Stakeholder interview
The first activity in the service is to conduct a stakeholder interview in order to clarify the primary business concerns in the below listed areas:
-
Protection of critical business systems and data
-
Protection of personal data
-
Compliance with laws & regulations
Secure Development Gap Analysis
A gap analysis of the current software development processes is conducted to uncover potential weaknesses and improvement opportunities. The gap analysis covers all phases of the software development life cycle from requirement to retirement.
Development Team Workshop
A workshop is conducted with the in-house development teams in order to verify the findings from the gap analysis and discuss the possible mitigations and their consequences. The Secure Development Life Cycle Coach uses the workshop to gauge the impact of implementing various security and privacy development best practices.
Risk Analysis & Recommendations
Building on the gap analysis and the development team workshop, a risk analysis with recommendations is produced and presented to the stakeholders. The recommendations will focus on the most cost-effectives ways to enhance the existing in-house development process with secure development best practices to counter the security, privacy, and compliance risks exposed by the gap analysis.
Secure Development Roadmap
Based on the stakeholder prioritization of the identified risks and recommendations a secure development road map is created to ensure that the chosen secure development best practices are implemented in a manner that safeguards the continued productivity of the development teams.
On-site Coaching & Implementation Guidance
During the implementation of the road map the coach provides guidance and hands-on assistance, such as:
-
Providing secure development training for architects, developers, and testers
-
Updating policy and procedure descriptions
-
Conducting security assessments of business-critical applications.
Who are we?
The NNIT Application Security Team consists of highly skilled professionals, specialized in designing, implementing, and testing applications with critical security and privacy requirements. It is on that solid foundation in application security that we have condensed the pertinent knowledge of best practices into the Application Security Assessment Service.
Learn more
If you want to learn more about this service, please contact Tahseen Hussain at THUI@nnit.com.
