EMBEDDED APPLICATION SECURITY SERVICE
(EASy Service - Secure SDLC)
So, you have your development pipeline in place (or need help getting it in place). You know you want to conduct automated secure code reviews and dynamic analysis (automated application security testing) as part of your pipeline prior to deployment. But boy is it painful. WAY TOO MANY FALSE POSITIVES! Trying to get meaningful results, quickly, to your team to fix, is difficult. Just getting it running is painful!
We know that it can be painful, but tap into our experience and let us offload this from you. We can embed our experts in your pipeline to get quality testing, with only true security issues fed into your existing issue tracking system.
How does our EASy Service work?
Let’s take an example:
Company Alpha (not real name) wants to regularly integrate security into their SDLC and they have had trouble hiring AppSec Engineers to help with the process. They engaged with us and now:
- Based upon their timelines and needs, they decided that weekly scanning of all of their applications is sufficient.
- Every week the code for each of their applications is securely retrieved from GitHub and is scanned with a static analysis tool.
- The results for each of the scans are reviewed by our experts and the false positives are eliminated, and true positives are flagged and imported into Company Alpha’s issue tracking system (here, Jira). Developers and Managers use the tools they are already familiar with, nothing new to learn or additional processes to incorporate.
- Some applications are more sensitive and it was desired to do weekly automated dynamic assessments against the running application since dynamic and static assessments have their own strengths and weaknesses, and the most thorough reviews utilize both mechanisms
- As part of their DevOps pipeline the company deploys an updated version of their sensitive applications to a non-production server accessible by Cypress.
- On a weekly basis, each of the running applications is dynamically scanned and only true positive issues are entered into the issue tracking system
- All issues entered into Jira provide a description of the issue and recommendations on how to remediate them.
- Our AppSec experts also take part in architectural, design and remediation discussions as needed.
As you can see, Company Alpha now has a strong, integrated Security pipeline. They have elevated from DevOps to DevSecOps and know that they have a strong security program at a fraction of the cost of a traditional AppSec team.
BRANDS THAT TRUST US
WHY CHOOSE US?
Our security engineers all come from a development background. WE KNOW APPSEC!!!
We routinely train others in AppSec and speak worldwide on AppSec.
Our application security specialists regularly instruct for large corporations and global training institutions. We teach developers and organizations on how to properly secure applications as you develop them.
We are all developers and we understand code.
We aren’t only experts in security, we also know how applications are (and SHOULD be) built securely. So reach out and we can work with you.
