Software Quality Security Assessment

This service expands the Software Quality Test Assessment’s scope with cybersecurity concerns. Thus, we start with the same QTA methodology and add more application security activities. In addition, this service incorporates the basic notions of Thread Modeling and the Software Assurance Maturity Model of the Open Web Application Security Project® (OWASP). With the literature of these resources, we can attain a more formal and structured coverage of security concerns.

To maximise the benefits of this service, we would need specific technical sessions with the development team. Within those sessions, we offer concepts and tools to improve the security culture from the first interactions. Thus, while doing this security assessment, we share important tips, designs and security-related literature to enhance the organisation’s security culture from day one.

The outcome of this QST Assessment will be a full and detailed report regarding the security and quality problems within SDLC processes. In much more detail, we aim to highlight the limitations preventing the organisation from fixing vulnerabilities as well as reaching higher levels of quality in their solutions.
Usual estimated time: please get an accurate estimate here

Type of activities:

  • Same as QT Assessment plus the following.
  • Entire Threat Modeling exercise with a mínimum of 3 sessions.
  • Evaluation of the organisation’s existing software security practices.
  • Define a balanced software security program.
  • Define the primary deficiencies of the security-related activities in the SDLC.
  • Conduct samples of technical security code reviews.
  • Review of some technical activities to do Security by design within the SDLC:
    • Automatic scanning of vulnerabilities in third-party libraries.
    • HTTPS for all communications.
    • Us of identification and access tokens. PASETO (Platform-Agnostic SEcurity TOkens)
    • Always encrypt and protect secret variables, keys and sensitive data.
    • Verify security aspects in the continuous integration and deployment pipeline.
    • Introduce techniques to slow down attacks. i.e. rate limiters.
    • Use rootless docker mode.
    • Use time-based security. i.e. send alerts of user actions.
    • Automatically scan tool settings and cloud configuration environments.
    • Apply the 4Cs method of the cloud environment. (Cloud, Cluster, Container, and Code)

Sample questions:

  • What is the awareness of the OWASP top 10 projects?
  • Who can be interested in attacking the systems or applications?
  • What kind of security countermeasures do we have in place?
  • What and where are all our technical assets?
  • What are our security assumptions?

Goals:

  • Provide a reference level within the OWASP Software Assurance Maturity Model.
  • Deliver a full report of the Threat Modelling exercise.
  • Provide an accurate level within the Test Maturity Model.
  • Provide the foundations about Software Quality concepts and literature.
  • Highlight technical deficiencies which directly impact performance and quality.

Based on the particular organisational needs, we can quickly agree on more specific goals for the assessment.

More…

“How is this going to work with … ?”

Send us any question here. or book here your FREE 30 minutes S.Q. Orientation