Security Compass https://www.securitycompass.com/ Tue, 10 Jan 2023 13:22:06 +0000 en-US hourly 1 https://www.securitycompass.com/wp-content/uploads/2021/10/icon-512x512-1-150x150.png Security Compass https://www.securitycompass.com/ 32 32 SD Elements 2022.4 Release Update https://www.securitycompass.com/blog/sd-elements-2022-4-release-update/ Tue, 10 Jan 2023 01:00:28 +0000 https://www.securitycompass.com/?p=26695 Simplify Threat Modeling with Enhancements to SD Elements Threat Modeling Diagrams, Reusable Components, and Advanced Reporting Capabilities Software threat modeling is a foundational requirement for […]

The post SD Elements 2022.4 Release Update appeared first on Security Compass.

]]>
Simplify Threat Modeling with Enhancements to SD Elements Threat Modeling Diagrams, Reusable Components, and Advanced Reporting Capabilities

Software threat modeling is a foundational requirement for ensuring secure software development. However, many organizations today still struggle to effectively model software applications. Application security experts, who have traditionally led threat modeling exercises, are in short supply. Software developers are now being asked to add threat modeling to their skill set. However, most software developers are not threat modeling experts. Asking developers to take on an additional and vital task can impact hitting their release deadlines.

Identifying and mitigating software threats prior to software release is required by the vast majority of organizations that develop software. For example, according to a recent study, 2022 Developer Perspectives on Application Security, 76% of software developers report that their applications cannot be released until threats of specified authority are mitigated. 65% report that addressing threats from the security team is required. To help developers succeed, a better, more developer-centric approach to threat modeling is required.

In response to this need, Security Compass has developed SD Elements, a developer-centric software threat modeling tool, to help software teams take an automated approach to threat modeling at the very beginning of their development cycle — without requiring the expertise of a security expert. With the release of SD Elements 2022.4, we are making threat modeling easier than ever before for application security and development teams. New features now available in SD Elements 2022.4 include the ability to:

  • Generate accurate threat models and collaborate on their application’s design and data flow
  • Reuse existing components along with their identified threats and countermeasures across projects
  • Reduce the level of expertise needed to generate reports
  • Integrate with Snyk Open Source Software Composition Analysis (SCA)
  • Customize SD Elements security content

New and updated security content, just-in-time training modules, and eLearning courses demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging and existing application security threats.

These new capabilities in SD Elements help software development and application security teams:

  • Improve collaboration between security, software development, hardware engineering, and DevOps teams
  • Improve developer productivity
  • Obtain visibility into the security and compliance state of software across an organization’s entire software portfolio
  • Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations

Updated Threat Model Diagrams

Threat modeling is a foundational exercise in delivering secure software applications. But, in order for threat modeling to be viewed as a value add activity by both application security and software development teams, generated threat model diagrams must accurately display the application architecture, including zones and nested zones. Threat model diagrams should also include the ability to add notes to the diagram.  Application security and software development teams, using the threat model diagrams, need the context to fully understand the system architecture, threats, and required countermeasures to implement and effectively collaborate to help ensure the security of the software.

Updates to threat model diagrams in the 2022.4 release include the ability to nest zones and add diagram notes. These new features further enhance the threat modeling experience for application security professionals and developers. After generating a threat model, zones can be nested to ensure the diagram matches the organization’s architecture. Diagram notes allow development and application security teams to represent their software application’s design and data flows quickly and easily, as well as add any important notes to the threat model diagram to provide additional context.

SD Elements

 

Reusable Components Enhancements

“When developers perform a threat model, they begin to recognize what can go wrong in a system. It also allows them to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system.” (Threat Modeling Manifesto)

Over time, patterns will reoccur within systems and software, i.e. recurring threats, weaknesses, and their necessary countermeasures. Application security professionals and developers need to be able to reuse these patterns across projects to simplify threat modeling. In prior versions of SD Elements, the process of reusing security patterns found in existing components was manual. Components needed to be manually created in the component library and configured by selecting the appropriate countermeasures.

The latest update to SD Elements reusable components allows application security and development teams to be able reuse existing components’ along with their security patterns, identified threats, and countermeasures across projects. This improves efficiency between security and development teams by leveraging patterns that have already been identified and addressed in other projects. Now, teams can focus their attention on only what needs to be done. When a component is created, it is added to the component library. And once it has been activated by an SD Elements administrator, the component along with the identified threats and appropriate countermeasures are available to every project in the organization.

Reusable Components Enhancement

 

Advanced Reporting Enhancements

Prior to the 2022.4 release, SD Elements required a high level of SQL expertise to pull data and generate reports. The majority of stakeholders that work in SD Elements do not possess this skill, which created an over-reliance on SD Elements administrators to generate reports.

Updates to advanced reporting in SD Elements 2022.4 create a much more scalable, secure way to generate reports. New contextual reporting capabilities reduce the level of expertise needed to retrieve, combine, and visualize data, as well as create rich reports. A user can simply choose the type of context their task is based on, and then the appropriate and relevant data points are available for selection.

New Snyk Open Source Integration

The use of open source code plays an integral role in minimizing the time spent and cost building out applications. Gartner estimates that 90% of organizations rely on open source code in their applications today. Open source projects may seem fully secure, given that they are maintained by a community, but that is not true. Gartner estimates that more than 70% of applications contain flaws stemming from the use of open source code. Given the widespread use of open source code, the need for software composition analysis (SCA) tools is vital in releasing secure applications.

To address the growing need for SCA tools, SD Elements now integrates with Snyk Open Source (SCA). Snyk Open Source helps minimize open source and other third-party software risks by simplifying security control validation for application security and software development teams. Organizations can now import Snyk Open Source scans to SD Elements. This allows organizations to automatically map their findings to the appropriate tasks in SD Elements and highlight open source weaknesses and required countermeasures to implement. To learn more about SD Elements 35+ integrations, covering application security software, DevOps tools, infrastructure, and issue trackers, visit the SD Elements Integrations page

New Custom Task Mapping

In prior versions of SD Elements, customers were unable to perform custom task mapping. SD Elements verification tools, i.e. SCA, were all built with a default mapping file that connected an organization’s scan results findings to the appropriate countermeasure. By not providing customers with the ability to customize their task mapping, within SD Elements, to their verification tools, led to them manually customizing mapping, which was time-consuming. The other alternative was for customers to rely on the SD Elements integrations team.

With the new custom task mapping feature now available in SD Elements 2022.4, organizations have the flexibility to overwrite default task mappings to customize SD Elements’ security content to meet their needs. Application security and development teams can append their own security content and even change different attributes in their files, such as confidence levels between scan findings to SD Elements.

New Security Content

SD Elements 2022.4 now provides the following security content library updates:

  • Azure Kubernetes Services (AKS): New recommended security controls and guidelines help software developers and DevOps teams better secure AKS clusters
  • AWS Services: In addition to the existing coverage of AWS’ infrastructure provisioning services, the SD Elements Content Library now supports the following AWS Services: API Gateway, AWS Cognito, AWS Kinesis, Amazon Kinesis Data Firehose, and AWS Web Application Firewall (WAF)
  • Payment Card Industry Data Security Standard (PCI DSS): New content is now available for the latest version of PCI DSS, v4.0. This includes a compliance report that maps the “Requirements and Testing Procedures” specified in PCI DSS v4.0 to SD Elements tasks and activities. Organizations that process card holder data can now use this report to identify gaps and/or demonstrate compliance with the PCI DSS standard.
  • New security content is also available for the .NET 6 framework, TypeScript, and Android 12 and 13

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2022.4 for Ansible (IaC) and key updates for .NET 6 and Secure Software Requirements.  For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer, but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

New eLearning Courses

The following Security Compass eLearning courses are now available:

  • Ansible – Infrastructure as Code (IaC)
  • .NET 6
  • Secure Software Requirements

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamental and best practices, visit the eLearning Solutions page.

Learn More

The new SD Elements 2022.4 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

  • Continuously model threats at scale
  • Proactively write code that significantly reduces risks and remediation costs
  • Demonstrate compliance with secure software development standards more easily
  • Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2022.4 Release Update appeared first on Security Compass.

]]>
SD Elements support for EO 14028, “Improving the Nation’s Cybersecurity” https://www.securitycompass.com/blog/sd-elements-support-for-eo-14028/ Thu, 01 Dec 2022 20:25:22 +0000 https://www.securitycompass.com/?p=26323 In May 2021, the White House issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The order was a response to the growing number of […]

The post SD Elements support for EO 14028, “Improving the Nation’s Cybersecurity” appeared first on Security Compass.

]]>
In May 2021, the White House issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The order was a response to the growing number of cyberattacks on supply chains and critical infrastructure. These incidents, including a ransomware attack on the Colonial Pipeline, the breach of SolarWinds Orion,  which is used to manage organizations’ IT stacks, and Microsoft Exchange Server hack brought to focus the need to improve software security across the government.

EO 14028 is intended to improve the security of the software used by the US Federal government. “Software” under EO 14028 includes “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.” The EO directed the National Institute on Standards and Technology (NIST) “to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria” for EO-critical software use. It further directs the Office of Management and Budget (OMB) to require all federal agencies to comply with the security measures guidance.

Required Security Standards for EO 14028

The Executive Order recognizes that security is not the sole responsibility of development teams. Accordingly, it also provides guidance for verification (testing) of software and best practices for operating critical software.

Software Development

Prior to the issuance of EO 14028, NIST had previously published its Framework for Improving Critical Infrastructure Cybersecurity, as well as  version 1 of the Security Software Development Framework.

However, in response to the directives in the EO, in February 2022 NIST issued an updated version of the latter. Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilitiesincludes mappings to other security requirements including NIST SP 800-53R5: Security and Privacy Controls for Information Systems and Organizations.

The SSDF provides high-level secure software activities for integration into an organization’s Software Development Lifecycle (SDLC). The activities or practices are intended to minimize the number of vulnerabilities in software, mitigate the impact of exploits of undetected or unaddressed vulnerabilities, and “address the root causes of vulnerabilities to prevent future recurrences”.

Guidance published by the OMB in September 2022 requires US agencies to start collecting attestation letters from software vendors for critical software by June 2023 and for all other software by September 2023.

Software Verification/Testing

In 2021 the Department of Commerce published NISTIR 8397: Guidelines on Minimum Standards for Developer Verification of Software for vendors or developers of software sold or licensed to the government. The publication provides eleven recommendations for software verification techniques, the first of which is “Threat modeling to look for design-level security issues.”

To ensure consistency in descriptions of controls and best practices, the US Department of Defense published the Control Correlation Identifier (CCI). The CCI “allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control.”

Software Usage

In October 2021 NIST published its Security Measures for EO-Critical Software Use. It provides guidance to agencies when using EO-Critical software such as applying practices of least privilege, network segmentation and proper configuration. To assist in compliance, the publication maps each Security Measure to references in the NIST Cybersecurity Framework, SP 800-52R5, and other government publications.

How SD Elements Supports EO 14028

When fully implemented, any organization seeking Authority to Operate (ATO) and provide software to Federal government agencies must comply with the requirements of the EO including the SSDF and SP 800-53R5 for security controls and NISTIR 8397 for threat modeling.

Meeting these requirements at scale requires automation. This is particularly true when assessing software (application) threats and required countermeasures. Building threat models manually can require weeks of effort from senior development, security, operations, and compliance personnel. Further, manual threat modeling can be inconsistent as the teams assessing an application and prescribing controls change. As the regulatory environment and threat landscape changes, so too must the model. In modern DevSecOps environments, where requirements can change weekly and teams can push dozens of releases to production daily, manual threat modeling simply does not scale.

SD Elements solves this problem by automating the threat modeling process and shrinking the time required from weeks to hours. It takes a developer-centric approach to threat modeling that is not  totally reliant on scarce security resources. SD Elements starts with a brief questionnaire to describe the software project including the technology stack and frameworks, deployment environment, and dozens of regulatory standards to which the application may be subject.  From this, SD Elements generates a complete list of known threats, controls, and countermeasures. Integrations with issue trackers like JIRA, ServiceNow, and Microsoft Azure DevOps deliver requirements – including code samples and test plans – directly to those individuals responsible for implementation.

SD Elements newest release covers the regulatory guidelines and requirements of EO 14028. In addition to the SSDF and SP 800-53 and dozens of other standards, it provides new content for the Control Correlation Identifier (CCI),  Security Measures for EO-Critical Software Use, and Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397). These map the threat modeling recommended standards in NIST to verification tasks in SD Elements and allow users to generate compliance reports for these just as they would our other supported regulations.

You can learn more about the capabilities of SD Elements and our newest release here.

The post SD Elements support for EO 14028, “Improving the Nation’s Cybersecurity” appeared first on Security Compass.

]]>
The Value of Contextual Learning for Developers https://www.securitycompass.com/blog/the-value-of-contextual-learning-for-developers/ Wed, 30 Nov 2022 20:25:53 +0000 https://www.securitycompass.com/?p=26107 There are two primary sources for vulnerabilities in software. The first – design flaws – result from poor architectural decisions. These can include assuming an […]

The post The Value of Contextual Learning for Developers appeared first on Security Compass.

]]>
There are two primary sources for vulnerabilities in software. The first – design flaws – result from poor architectural decisions. These can include assuming an entity is trusted, failure to require a check of a user’s authorizations after authentication, and other common errors. Many design flaws can be avoided through threat modeling

The second source of vulnerabilities is coding errors. Coding errors can result in vulnerabilities in the open-source components organizations use, of course. However, our focus today is on coding errors in the custom software written by internal development teams.

Coding errors occur when a developer is either unaware of secure coding best practices or forgets them due to pressure to deliver functionality. This is why security standards such as the Payment Card Industry Data Security Standard (PCI DSS) require organizations to train software development personnel on secure coding.

Traditional Training Isn’t Working

The idea is simple. Training developers on secure coding practices will reduce vulnerabilities. When done correctly, everyone wins. Developers improve their skills while eliminating unexpected security rework and customers gain confidence in their supply chain. In practice, many organizations miss the benefits by treating training as an event instead of a process.

The PCI requirement mandates training “at least once every 12 months.” This leads some organizations to require that developers complete a single online training course annually. While this meets the minimum PCI DSS requirement, it is ineffective. As we have previously written, without reinforcement, students forget 35 percent of a lesson on the first day and 75 percent in the first week! Early, repeated support – treating learning as a process – increases retention.

Wise development leaders recognize that limited training communicates to teams that professional development is not a priority. However, our 2022 DevSecOps Perspectives on eLearning found that the average amount of time spent annually on application security learning amounts to just two and a quarter (2.25) days per year. This is not a good retention strategy when 87 percent ofmillennials believe “professional or career growth and development opportunities” are important to them. Another found that “40 percent of employees who receive poor job training leave their positions within the first year.”

How Employees Want to Learn

Since a motivated student is a better student, our research on employee training focused on how employees want to learn. The 2022 Developer Perspectives on Application Security study found:

  • Training should meet the developers where they work: 27 percent want training embedded in their tools, and 26 percent want firsthand examples and exercises. Only 5 percent preferred in-person lessons.
  • Training should be on demand: Overall, only 16 percent of developers believed the best time to do training was “at a time designated by the organization.” 81 percent preferred “on-demand” training when starting a new task, encountering a coding problem, or addressing vulnerabilities.
  • Training should be geared to the role: 72 percent want vendor or technology-specific training to help them perform their jobs. This also requires training that is contextual and relevant to specific tasks. 
  • Work/life balance is part of the equation: 68 percent of employees prefer to learn at work. A majority – 58 percent – prefer to learn at their own pace.

How Security Compass Helps

Security Compass takes a developer-centric approach to learning, combining our secure coding expertise and modern instructional design to deliver training to developers where they work and when they need it. We offer dozens of role-specific courses covering the entire SDLC  ranging from security basics to deep dive classes and learning paths for specific coding languages. On-demand, interactive training enables your team to access courses at any time and learn at their own pace.

Our Software Security Practitioner (SSP) Suites are pre-selected sets of courses for specific coding languages or specific roles within the development team and earn accreditation from the International Information System Security Certification Consortium (ISC)2. These courses enable developers to learn foundational elements of software security, language-specific secure coding skills, as well as security skills needed for other roles in the SDLC such as architect, QA, and project management. 

Learner retention can be further enhanced by supplementing our on-demand courseware with SD Elements Just in Time Training (JITT). , SD Elements delivers relevant, bite-sized contextual learning directly to the Agile planning tools developers use.  Based on the threats and countermeasures surfaced by modeling an application in SD Elements, Just in Time Training (JITT) modules are delivered to developers through their existing workflow, along with code samples and how-tos relevant to the task at hand. Providing micromodules into the workflow boosts retention of the security concepts taught in on-demand courseware. 

You can see more insights from our research on training by downloading our report here.

The post The Value of Contextual Learning for Developers appeared first on Security Compass.

]]>
The Human Side of Cyber Security – with Mark Timms https://www.securitycompass.com/blog/the-human-side-of-cyber-security-with-mark-timms/ Wed, 16 Nov 2022 14:02:31 +0000 https://www.securitycompass.com/?p=24857 The Balancing Act is our podcast series. We speak to leaders and practitioners about the challenges they face and the strategies they use to defend […]

The post The Human Side of Cyber Security – with Mark Timms appeared first on Security Compass.

]]>
The Balancing Act is our podcast series. We speak to leaders and practitioners about the challenges they face and the strategies they use to defend against threats. You can find the entire series here.

Altaz Valani, our Director of Insights Research, recently spoke with Mark Timms. Mark is a Senior Behavioral Scientist at Royal Bank of Canada (RBC). His job is to deliver behavioral science research to help RBC’s over 100,000 employees make smarter decisions about how to use technology. Prior to joining RBC, he served (and continues to serve) as an Infantry Officer in the Canadian Armed Forces, a Communications Advisor for the Government of Canada, a Defence Scientist for the Defence Research and Development Canada, and as Manager of Physical Risk at Scotiabank.

You can listen to the entire interview here. Below are some highlights.

His passion is decision science

Mark talks about the writings of James Clear and the desire of humans to fit in with others. This is true in the workplace as well as at home, and can drive safe or unsafe behavior from a security viewpoint. “People want to avoid behaviors that the humans around them will condemn…” This can present challenges to security teams that focus on explaining the technical aspects of a threat without understanding how users “need to receive information that will help them make smarter decisions with technology.”

Work from Anywhere adds challenges

By now, most people know they shouldn’t click on links in emails from unknown senders. However, Mark contends that overconfidence and distractions can cause people to make mistakes. He provides the example of reading email while driving. More important in today’s environment is the impact of employees working from home.

“The boundaries between “work” and “not work” are fudged because…a lot of the activity happens at the same desk in the same room. Bottom line: our distractibility and perhaps the absence of focus or the blurring of lines between “work” and “not work” contributes to suboptimal decisions.”

Security is not always a technical challenge

Organizations need to balance the technical side of solutions with getting workers to take the correct actions in their normal workday. Shaping human behavior needs to speak to the individual. Traditional cybersecurity messaging focuses on things people are not allowed to do. Instead, organizations need to focus on helping people achieve their goals safely. Organizational policies on communications can also deter progress. In Mark’s words: “Lessons identified have a harder time transforming into lessons learned when the only humans who can actually perceive this issue have to go through all kinds of permission granting loops to share that information with other people.”

Security people are like salespeople

Messaging is critical in convincing users to adopt good security practices. He cites the work of Sandra Matts and Michael Kazinski on “psychological targeting”. In essence, “…tailoring a line of persuasion or a message to convince me to do something”. Where a salesperson might be selling a car, his organization is helping “sell smarter decisions with technology”  including making the better security behavior easier for the user. This includes messaging about “why” it is best not to reuse passwords or respond to phishing messages. They key is “to present the exact same call to action [e.g., don’t reuse passwords’ to two different types of humans in ways that resonate with those types of humans equally.”

The entire interview is available here.

The post The Human Side of Cyber Security – with Mark Timms appeared first on Security Compass.

]]>
Using the Threat Modeling Manifesto https://www.securitycompass.com/blog/using-the-threat-modeling-manifesto/ Wed, 16 Nov 2022 13:55:21 +0000 https://www.securitycompass.com/?p=24855 We have written before about what threat modeling entails and its many forms. Organizations can take different approaches, particularly when building manual threat models. This […]

The post Using the Threat Modeling Manifesto appeared first on Security Compass.

]]>
We have written before about what threat modeling entails and its many forms. Organizations can take different approaches, particularly when building manual threat models. This is unsurprising. Different organizations have different needs, technology stacks, and expertise.

With the widespread adoption of rapid development methodologies like DevOps, traditional threat modeling was difficult. Taking weeks of time senior development and security professionals was incompatible with a strategy of quickly responding to customer needs. 

Recognizing the importance of threat modeling – particularly in a rapid development environment – in 2020 a group of 15 experienced threat modelers joined together to redefine threat modeling as core values and principles. The resulting Threat Modeling Manifesto acknowledges there is no single “best” threat modeling process. Instead, it distills the process to answering four key questions:

1.     What are we working on? Define the project, its components, and its environment.

2.     What can go wrong? Identify the threats to the project, including its deployment environment.

3.     What are we going to do about it? Define the threat countermeasures and security controls.

4.     Did we do a good enough job? Validate that the countermeasures are implemented properly, and work as designed.

Why you should care about Threat Modeling 

Threat modeling allows teams to anticipate weaknesses in an application that an adversary could exploit and identify countermeasures and controls to mitigate those weaknesses. These countermeasures and controls become non-functional security requirements development and operations can implement alongside the functional product requirements. This proactive approach reduces the number of vulnerabilities that would otherwise be identified by security testing later in the development process (or completely overlooked!). 

How to use the Threat Modeling Manifesto 

The Manifesto is not prescriptive regarding how one should answer the four key questions. Rather, it relies on guiding values, principles, and beneficial patterns for performing threat modeling.

Meeting the values can require organizations to change the way they think about threat modeling. Successful programs are not rigid and fixed. Rather than meeting minimum compliance requirements, the first value recommends building “a culture of finding and fixing design issues.” Others recognize that successful threat modeling is a “journey of understanding,” and a need for “continuous refinement” of the process. 

Principles are “fundamental truths of threat modeling.” These can help an organization determine “how” they will approach the task. Principles include using threat modeling early and frequently. Threat modeling must be an iterative process as a threat model for an application can quickly become out of date. The principles also recognize that threat modeling exercises will differ depending on the development practices of the organization or team and must be “scoped to manageable portions of the system.” 

The Manifesto helpfully provides “patterns” that benefit or inhibit successful threat modeling. Beneficial patterns include taking a systematic approach. To be thorough and repeatable, threat modeling should be a structured process. While the process may change (continuous refinement) it is important to apply organizational knowledge consistently. A second beneficial pattern is to use “tools that allow you to increase your productivity, enhance your workflows, enable repeatability and provide measurability.” 

The Manifesto’s “anti-patterns” call out behaviors to avoid. These include the “Hero Threat Modeler” where organizations assume that threat modeling must be confined a small group of people with unique skills. Threat modeling requires a diverse team that understands the strengths and weaknesses of programming languages, deployment environments, and internal capabilities. It also requires an understanding of applicable regulatory requirements. In short, “everyone can and should do it.”

How SD Elements helps

Adhering to the principles and beneficial patterns can be challenging when conducting manual threat modeling. Traditional threat modeling can be inconsistent. Output from manual threat models reflect the knowledge and biases of those participating in the exercise.  As team members change identified threats and controls will also change. Teams often maintain the threats and countermeasures identified in a manual threat model in a spreadsheet or shared document.  This provides poor evidence of compliance with corporate policies and regulatory standards.

Organizations require automation and a developer-centric approach to achieve scalable, consistent, and auditable threat modeling. Security resources are scarce across all organizations. The BSIMM 13 report published by Synopsys in 2022 surveyed the application security resources and processes at 130 enterprises. On average, it found 1 software security resource for every 122 developers and 43 applications. 

SD Elements is a developer-centric threat modeling solution that helps organizations extend scarce security resources. It enables self-service threat modeling that identifies weaknesses and compliance requirements at the beginning of a project, then delivers consistent and approved developer-friendly secure coding best practices and countermeasures directly to developers, significantly reducing cyber risks. Developers can quickly update threat models as features and requirements change, without waiting for security resources.

The economic benefits of this approach are significant, increasing developer productivity and reducing security rework later in the development lifecycle. A study by Forrester Consulting found that using SD Elements produced benefits of increased productivity, reduced costs, and avoided vulnerability remediation totaling over $2.8 million and a 332 percent return on investment.

How to start threat modeling in your organization.

You can learn more about the different methodologies to threat modeling in our white paper: Threat Modeling: Finding the Best Approach for Your Organization. Download it here.

The post Using the Threat Modeling Manifesto appeared first on Security Compass.

]]>
7 Key Takeaways from Brad Arkin – A Leader in Product Security https://www.securitycompass.com/blog/7-key-takeaways-from-brad-arkin-a-leader-in-product-security/ Mon, 31 Oct 2022 19:00:58 +0000 https://www.securitycompass.com/?p=24051 Brad Arkin has been in software security for about as long as software security has been a topic. He helped build the software security practice […]

The post 7 Key Takeaways from Brad Arkin – A Leader in Product Security appeared first on Security Compass.

]]>

Brad Arkin has been in software security for about as long as software security has been a topic. He helped build the software security practice at Cigital (now part of Synopsys) in the late 1990’s, was a technical director at software security consultancy @stake (later Symantec), spent 12 years in product security at Adobe, ultimately as Chief Security Officer, and is currently Cisco’s Senior Vice President, Chief Security and Trust Officer.

He joined Rohit Sethi, our CEO, on our podcast channel The Balancing Act for our Leaders in Security series. The Balancing Act regularly interviews software security practitioners to discuss the challenges they face in securing their products and environment and balance the need for both security and business requirements.

Here are some key takeaways from the podcast. You can listen to it in its entirety here.

1. Brad is a mathematician at heart

He majored in computer sciences at George Washington University “because I figured it would help me get a job”. He discovered a copy of the first edition of Bruce Schneir’s “Applied Cryptography” during an internship after his freshman year and found the perfect opportunity to combine the two. His first job at Cigital was focused on cryptography topics before pivoting to software security with Gary McGraw and John Viega.

2. He has seen the evolution of software security from the beginning

In the late 1990’s when Brad was starting his career, security wasn’t on the radar of most organizations. Companies were focused on producing features and security added cost and time to the process. Many at the time viewed it as “a wasted resource”.

Organizations now are acutely aware of the need for security but can be challenged by multiple priorities. In Brad’s words, the question for security leaders today is “How can I invest resources in a way that’s going to actually move the ball and make me and the people that rely on my software safer over time”. It requires discussions and buy-in from engineering, senior leadership, and security. He doesn’t pretend this is a simple problem and understands the desire to do “something” doesn’t always lead to the correct decision.  “I think there’s a lot of activities which naively might seem useful, but they’re not actually productive and making the code more secure.”

3. On meeting customers’ security expectations

Whether the product is shrink-wrapped software, a physical device, Software as a Service, or on-premises, today’s customers expect software to be secure. The problem, Brad explains, is that their expectations are “not always communicated explicitly. They just expect it to be secure”. When it is not, relationships can be damaged and trust difficult to reestablish.

The answer is better communication, in particular if there is a security event. Brad argues for a “no holds barred, honest postmortem about what went wrong, what we are doing differently next” involving the customer and internal teams. Discussions such as these allow teams to “prove you’re working at it and you’ve got a plan”.

4. The role of certifications in security

Brad believes the industry will see more domestic and international standards adopted. Today, the value of certification may be only as reliable as the company’s efforts and the quality of its auditors. “Some organizations are doing great work. Their controls make sense. The way they’ve implemented it makes sense. [They have] third party attestation where these folks really did a good audit.” While others may have poor controls and questionable auditors. Both, however, have certification. For less experienced customers “it’s hard to tell which [certification] is gold plated and which one is really tarnished.”

5. How to start a product security program

Organization’s taking their first steps in building a security program have lots of choices. They key is a leader who is “centrally anointed” by senior management. Next, you need “Embedded security capabilities within the engineering teams that are actually building the product for the customer.” These two teams “…mutually own the security roadmap of activities”.

Next is the discovery phase to identify “relevant security and technical debt within a code base. And then once identified, how do you prioritize and stack rank the different items of improvement that you can invest in that would address the technical debt at a pace commensurate with the risk it represents for the business.”

6. Why CEO and Board relations are critical

Not every security leader reports to the CEO, but Brad believes a good relationship with the CEO – and Board of Directors – is critical. Businesses often engage in a series of tradeoffs between security and business needs. Security leaders need the ability to have an “out-of-band escalation channel” to the CEO and Board about risks and benefits when they believe bad security decisions are being made. 

7. Security’s role in the organization

Sometimes conversations with the CEO or the Board  will result in the product shipping anyway. This leads to a better understanding of an organization’s appetite for risk. After all, security’s ultimate role is to help achieve business goals. In Arkin’s words: 

If we were to just sit with our back to the customer and do security work all day and not worry about customer problems or the other things the customers want to buy, then that’s not really the point of why we’re all here together. So you have to start to balance security with everything else we’re doing.”

Listen to the full podcast here.

The post 7 Key Takeaways from Brad Arkin – A Leader in Product Security appeared first on Security Compass.

]]>
5 Practical Ways Training Can Boost Your Security Program https://www.securitycompass.com/blog/5-practical-ways-training-can-boost-your-security-program/ Fri, 28 Oct 2022 15:15:54 +0000 https://www.securitycompass.com/?p=23979 Building secure software has never been more important. Globally, organizations spend billions of dollars on tools to identify vulnerabilities in the code they write and […]

The post 5 Practical Ways Training Can Boost Your Security Program appeared first on Security Compass.

]]>
Building secure software has never been more important. Globally, organizations spend billions of dollars on tools to identify vulnerabilities in the code they write and use. It’s easy to understand why. Vulnerabilities and misconfigurations in software can result in breaches that can cost millions in remediation and damage a company’s reputation. Attacks on vendors in the software supply chain is driving demand for evidence of software security across all market segments.

Testing for vulnerabilities is necessary, but is a reactive solution that identifies issues late in the development process. This can result in teams facing the uncomfortable choice of unexpected delays in releasing products or releasing products with known vulnerabilities. If security is not fully integrated into the development process, it can also result in friction between internal teams.

How Vulnerabilities Enter Software

Vulnerabilities can enter code bases through third party components or custom code written internally. Vulnerabilities in custom code are usually the result of coding errors. For example, all user input to a running application should be validated to ensure only properly formed data is used. If a developer misses this step, an attacker may be able to execute a SQL injection or cross-site scripting attack.

Teams face two challenges in preventing vulnerabilities in their custom code. The first is organizational; development teams are measured and rewarded for delivering a fixed set of features and functionality by a specific date. Developers are solving difficult engineering problems and focused on functional requirements. Security requirements are rarely part of those (though including them can significantly reduce development costs).

The second challenge is educational. As we’ve previously noted, security coursework is rarely a requirement in computer science degree programs. This means that if you want developers to understand how to build more secure software, you need to have a training program.

5 simple ways training can boost your security program

A security training program helps organizations build better software faster. Like most initiatives, these can be simple at first and evolve over time. Here are five tips for building a successful program.

      1.     Create security awareness across the organization: Acknowledge the effort required to complete training programs. Often this is achieved through internal recognition and designations of “security champions”. Also, remember that responsibility for security extends beyond security teams and software development. Including role-specific training for development, operations, and general staff also helps instill a security culture. 

      2.     Build healthy secure coding practices: Smart development and security leaders understand that consistency is important. By standardizing and including best practices for each role in your training, you can minimize risk and increase code maintainability. 

      3.     Shift security left: Training is the ultimate shift left. It helps organizations avoid coding errors that introduce vulnerabilities to an application. Ideally, you should include precision training that is accessible whenever the developer needs it – as they are writing code. During busy development sprints, developers are more likely to consume small, concise training topics rather than monolithic courses.

      4.     Help security and development work together: Over time, silos emerge within any organization. You can improve collaboration and better ensure buy-in by involving development and security in training requirements, selection, and execution. As developers successfully complete training, provide them with opportunities for additional collaboration and assign security champions as a bridge between development and security.

      5.     Leverage Certifications to build customer confidence: While completing a training course is good, completing an independent accreditation program is better. These programs are structured to build on broad fundamentals then focus on the unique needs of the learners. Learners appreciate them as they are “portable.” Customers like them as they demonstrate an organization’s commitment to security. In an industry increasingly concerned with the security of their software supply chain, this can provide organizations with a competitive advantage.

How Security Compass can help            

Security Compass delivers a full suite of on-demand application security training solutions supported by research and accredited by (ISC)². Our role-based, eLearning platform meets developers where they are in their knowledge and learning style to ensure they successfully develop and apply secure coding skills. Just-in-Time Training (JITT) within SD Elements, our platform for developer-centric threat modeling and secure software design,  includes short videos that engage and educate developers in real-time and support the implementation of security and privacy controls in their environment and workflow.

Training is available for development, operations, and general staff and ranges from security awareness to in-depth role-based and programming language-based learning. Our Software Security Practitioner (SSP) Suites deliver on-demand application security training solutions supported by research and accredited by (ISC)².

You can learn more about our training offerings here.

The post 5 Practical Ways Training Can Boost Your Security Program appeared first on Security Compass.

]]>
Top 4 Takeaways from Timo Skytta – A Leader in Product Security https://www.securitycompass.com/blog/top-4-takeaways-from-timo-skytta-a-leader-in-product-security/ Sat, 22 Oct 2022 14:09:28 +0000 https://www.securitycompass.com/?p=23436 The Balancing Act is our podcast series that hosts interviews with security practitioners on the challenges they face and their personal journeys. As part of […]

The post Top 4 Takeaways from Timo Skytta – A Leader in Product Security appeared first on Security Compass.

]]>

The Balancing Act is our podcast series that hosts interviews with security practitioners on the challenges they face and their personal journeys. As part of the Security Leaders series of The Balancing Act, Security Compass’ CEO, Rohit Sethi sat down with Timo Skytta.

Timo is a Managing Director and Head of Advisory (Security) for Goldman Sachs. He leads the team in assessing new technology initiatives for risk, partnering with engineers to architect and design secure products and services. Prior to joining Goldman Sachs, Timo held senior technology and security leadership positions at Nokia, HERE, and Verizon Media. During his career, he has built and led software engineering and security teams building and supporting large-scale mobile and internet services.

You will find the entire podcast interesting. Below are some of the highlights.

1. Timo’s broad experience helps his security work

Timo only moved into security in 2009. Before that, he worked in various roles in Europe and the US. After receiving his BSc from Oulu University, his first job was in PC support at IBM, and he spent several years in networking. At Cisco he was frequently working with sales as the customer-facing technical resource. During his nine years with Nokia, he ran engineering teams, led their Internet Standardization initiative, and was Head of Technology Strategy and Management prior to taking on the CISO role. Understanding the scope of business needs and priorities across functional areas provides him perspective in security discussions with stakeholders outside of security.

2. Workload management is a constant pressure

In every team Timo has managed, there has been a constant need to balance workloads. Timo sees workload pressure as more than just the sheer number of tasks security teams must address or staffing shortages. Another factor is the team’s commitment to security. “Most of the security people are very proud of their work and they feel very much that they are responsible for the security of the company’s reputation and individual products. And that also often leads to a way of working where people take their responsibility very seriously, and overload themselves with the work.”

3. Strategies for priority management with product owners

Timo has worked with teams running waterfall and agile development processes, and making sure security is plugged in at the right times and levels is critical. So too is working with product teams to ensure priorities and expectations are understood. One strategy he has used successfully is sprint planning for the product security team. They used “normal software engineering methodology where each one of the engineers has 10 points that they can allocate for the two weeks” In addition to planning for tickets like official review requests and audits, the team could allocate points (days) for ad hoc or non-ticketed work where they: 

“ [Allocated time for the sprint] knowing that during the next two weeks you’re going to be…working closely with the engineering team on the design. No reviews, no formal Jira tickets, but you’re going to spend that time on design with them.”

Two benefits resulted. First, it made the workload and priorities known to all personnel involved in product development and security. When extra work or overloading of certain personnel was required, they knew that before the sprint began and when the overloading would end. Second, when unanticipated requests came from product owners or development, they had a plan that was “visible and defensible” to facilitate an informed discussion across the teams and with management. In Timo’s words: “Here are the things we have committed to do for the next two weeks. Which of these things do you think are less a priority than your request, and why?”

4. Leveraging automation to stretch resources

“Automation is key to scaling.”  Timo also sees two challenges. The first is the complexity of modern deployments. The second still surprises him; he believes security professionals prefer to check things personally instead of relying on automation. This ties in with his view that security feels personally “responsible for the security of the company’s reputation and individual products”.

His solution is to split the process, applying automation to those projects that he can then reserve and focus his key resources on the “core enabling services that build the security and technology foundation for the company and then on those core services that make the money for the company.”  To do this without compromising security required a requirements and review process that could be used by development teams, along with self-attestation where development teams “attest to certain in-depth, actionable requirements with evidence that you’ve done what is required [and] the security team do audit checking.”

The requirements for engineering needed to be “Actionable by the engineering team so that they do understand what needs to be done, they have examples of what needs to be done, and they know who to reach out if they still have questions”. Automation works for his teams “because I gave them requirements in their natural environment in a form that they could consume and work with”.

Listen to the entire podcast here.

The post Top 4 Takeaways from Timo Skytta – A Leader in Product Security appeared first on Security Compass.

]]>
Why Developers (and Organizations) Need Skills Accreditation https://www.securitycompass.com/blog/why-developers-and-organizations-need-skills-accreditation/ Fri, 21 Oct 2022 19:27:20 +0000 https://www.securitycompass.com/?p=23376 Everyone knows that the demand for secure software is increasing. While scanning for vulnerabilities can help, it is a reactive solution to the problem. Finding […]

The post Why Developers (and Organizations) Need Skills Accreditation appeared first on Security Compass.

]]>
Everyone knows that the demand for secure software is increasing. While scanning for vulnerabilities can help, it is a reactive solution to the problem. Finding coding errors that result in vulnerabilities late in the development process results in last minute rework, increased technical debt, and delays in releasing software.

A better approach is to build secure code the first time. Most breaches can be prevented using well known best practices. The problem? Software engineers are trained to deliver functionality first. Computer Science programs focus on learning programming and architecture, with security often an afterthought, even when there are over 600,000 unfilled cybersecurity roles in the US. An article in the Harvard Business Review noted that only one of the US’s top 24 undergraduate programs require security coursework as a core requirement.

Compliance versus Accreditation

Organizations often treat security training as a compliance issue. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires “Software development personnel working on bespoke and custom software are trained at least once every 12 months” on software security design and coding techniques. This can be accomplished by taking a single, online course.

Annual compliance certification treats training as an activity, not a process. People do not retain knowledge when exposed briefly to information. The Ebbinghaus Forgetting Curve shows that, without reinforcement, students forget over 75% of a lesson in the first week alone.

Organizations that view training as a compliance activity also send a message that security is an obstacle,
not a goal.

In contrast, accreditation requires a series of training courses that build on fundamentals, move to more advanced, specialized coursework, and reinforce the learning process through stringent exams. Accreditation is conditional and requires ongoing learning to maintain. When coupled with Just in Time Training while performing tasks, this helps with knowledge retention.

Why Accreditation is Important

The benefits of accreditation to individuals are obvious. Accreditation provides evidence of expertise. It is also portable, making an accredited software engineer more attractive to prospective employers. But accreditation also provides benefits to organizations.

  • Accredited developers demonstrate a commitment to secure development. This can provide organizations with a competitive advantage with customers concerned with supply chain security.
  • Training can introduce security awareness. An accreditation program helps instill security into the software engineering process to build internal security champions and foster a security culture, developing a security mindset from project management to design, development, testing, and implementation.
  • A company-supported accreditation program is an employee benefit. This helps improve recruitment and retention of security-conscious development staff. A recent study shows that employees who believe they have inadequate access to learning and development are two times more likely to leave within a year. Another found that “94% of employees would stay at a company longer if their training and development were invested in.

Which Accreditations to Consider

Organizations should tailor their accreditation programs to meet the roles and needs of their employees. There are many certifications and accreditations individuals and organizations can consider. Some organizations develop their own to focus on their unique challenges. Other, more generalized security accreditations focus more on information security in general.

For those companies that do not have bespoke credentialing, industry recognized programs such as those from (ISC)2 are best. These have pedagogical rigor and are structured to build on broad fundamentals then focus on the unique needs of the learners, such as Secure Software Development, Cloud Security, and Security Administration and Operations.

Security Compass Provides Industry-Recognized Accreditation

Security Compass enables organizations to train employees  to develop secure code without costly AppSec expertise, consultants, or headcount. Our Software Security Practitioner (SSP) Suites deliver on-demand application security training solutions supported by research and accredited by (ISC)2. Coursework covers everything from AppSec Fundamentals, Secure Software Design, and Understanding the OWASP Top 10 to advanced, language-specific topics for Python, Node.js, Java, C/C++, and mobile platforms.

Software Security is not solely a development team’s responsibility, and neither are training requirements. In addition to developer-focused curricula, our role-based, eLearning platform provides training suites designed for software architects, QA, and project/product managers. Meet developers where they’re at in their knowledge and learning style to ensure they successfully develop and apply secure coding skills.

Just in Time Training, available with SD Elements subscriptions from Security Compass, complements the SSP Suites, enabling practical application of learning and increased learner retention while they work. These micro-training modules ensure developers have access to credible, up-to-date security training content when they need it – directly from their existing issue trackers such as Jira.

The post Why Developers (and Organizations) Need Skills Accreditation appeared first on Security Compass.

]]>
SD Elements 2022.3 Release Update https://www.securitycompass.com/blog/sd-elements-2022-3-release-update/ Tue, 18 Oct 2022 10:13:39 +0000 https://www.securitycompass.com/?p=21217 Identify and Mitigate Software Threats Faster with New SD Elements Threat Modeling and Advanced Reporting Capabilities At Security Compass, we continue to enhance our SD […]

The post SD Elements 2022.3 Release Update appeared first on Security Compass.

]]>
Identify and Mitigate Software Threats Faster with New SD Elements Threat Modeling and Advanced Reporting Capabilities

At Security Compass, we continue to enhance our SD Elements developer-centric threat modeling platform.

We designed SD Elements to use a developer-centric software threat modeling process so software teams can quickly take an automated approach to threat modeling right at the beginning of their development cycle — without requiring the expertise of a security expert. Organizations with dedicated application security teams also benefit from the SD Elements automated, developer-centric threat modeling approach, because it frees up application security experts from the more tedious and manual aspects of threat modeling. They can instead focus on more sophisticated attacks and threats, as well as focus on scaling software threat modeling, secure development, and compliance best practices across their organization’s entire software portfolio.

New features now available in SD Elements 2022.3 make it easier than ever before for software developers to see software (application) security threats, where they exist, and exactly where to implement countermeasures to mitigate the threats. New dashboards enable application security teams to identify the most prevalent threats and weaknesses across the organization’s software portfolio, as well as perform in-depth analyses of their software security and compliance posture both per-project as well as across their entire software (or application) portfolio. New and updated security content, just-in-time training modules, and eLearning courses demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging, as well as existing, application security threats.

These new capabilities in SD Elements help software development and application security teams:

  • Improve collaboration between security, software development, hardware engineering, and DevOps teams
  • Improve developer productivity
  • Obtain visibility into the security and compliance state of software across an organization’s entire software portfolio
  • Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations

Updated Threat Model Diagrams & Terminology

When a software (or application) threat is identified, just knowing what the threat is isn’t enough. Software development and application security teams need to know not just what the threat is, but where the threat is and the remediation priority, as well as where and how to implement required countermeasures. However, since most software developers are not experts in threat modeling and software security, identifying and prioritizing threats and knowing where they reside and how to implement appropriate countermeasures based on industry best practices can be challenging. Application security experts can help, but in most organizations, application security experts are spread thin, making it hard for software developers to know exactly what they need to do in order to properly remediate software threats as a part of their development workflow.

By surfacing threats directly in threat model diagrams, SD Elements now makes it easier than ever before for developers to understand where threats reside so they can better understand not only the threat itself, but also the countermeasures they need to implement to remediate the threat. Since SD Elements surfaces threats directly in threat model diagrams, application security and software development teams can now quickly see threats specific to the project and its components displayed in a side panel on the diagram canvas, as well as review the threats on a new Threats list page specific to the project. These new capabilities help software development and application security teams better understand not only where the threat exists, but also where the countermeasure should be applied.

SD Elements 2022.3 Release

In addition, the default language used for threat modeling in SD Elements 2022.3 has also been updated to align more closely with language used in the software security industry. For example, instead of “Problems” and “Tasks,” the default language in SD Elements is now “Threats,” “Weaknesses,” and “Countermeasures” (“Weaknesses” replaces “Problems,” and “Countermeasures” replaces “Tasks”).

“Problems” and “Tasks” terminology in SD Elements prior to SD Elements 2022.3

New “Threats,” and “Weakness,” and “Countermeasures” in SD Elements 2022.3

This change means SD Elements now uses language that is more relevant to both security and software development teams, and will make it easier for teams to collaborate, measure, and report on the success of their threat modeling programs.

Learn More:  Threat Modeling Video | Threat Modeling Datasheet

New Customizable Dashboards

Releasing vulnerable software can negatively impact brand reputation, customer trust, and an organization’s bottom line. Business leaders and the board understand the importance of managing application security risk. However, software development and application security leaders often struggle to articulate how their software threat modeling and secure development activities measurably reduce business risk.

Teams can spend hours trying to manually compile the threat, security, and compliance data from multiple sources. Aggregating data and massaging it into reports that show the maturity and effectiveness of an application’s security profile to business executives and the board can take hours or days more. And time spent manually compiling and generating reports means less time spent building new product capabilities, further hardening application security, and addressing technical debt.

SD Elements Advanced Reporting makes complex threat, countermeasure, security control, and compliance data accessible and easy to digest. The new, highly configurable Advanced Reports capabilities (first released in SD Elements 2022.2), when now combined with the new customizable dashboards available in SD Elements 2022.3, make it easier than ever before for software development and application security teams to track the state of their software security program. Teams can create rich data visualizations and dashboards that identify the most prevalent threats and weaknesses across the organization’s software portfolio. Teams also have the data, reporting, and analytics capabilities they need to perform in-depth analyses of their software security and compliance posture for individual software projects, as well as across their entire software (or application) portfolio.


Learn More:  Advanced Reporting Video | Advanced Reporting Datasheet

New Security Content

SD Elements 2022.3 also now provides the following security content library updates:

  • Infrastructure as Code (IaC): SD Elements continues to enhance its support for infrastructure as code (IaC) by now providing recommended security controls (countermeasures) and guidelines (how-tos or additional requirements for tasks) for software developers working on DevSeOps teams using Ansible
  • Automotive security: For companies who develop software for the automotive industry and are concerned with cyber risks and threats associated with connected vehicles, new automotive supply chain (UNECE WP.29 / R155) security content is now available.
  • U.S. federal government: For organizations who develop software for the U.S. federal government, SD Elements now provides new content for the Control Correlation Identifier (CCI) framework. For organizations who must meet U.S. federal government security requirements in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” SD Elements now provides new content for Security Measures for EO-Critical Software Use and new content for Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397), which maps the threat modeling recommended standard in NIST to verification tasks in SD Elements. Vendors who supply software to the U.S. federal government can use this report to show they are performing threat modeling according to the NIST guidelines.

New Micro Focus Fortify On Demand Integration

Vulnerability scans are a critical part of ensuring software (or application) security and compliance requirements are met. All organizations who develop software must have clear visibility into any vulnerabilities and weaknesses in their code in order to manage risk effectively.

Many organizations use security testing tools to detect and report on weaknesses in code, and SD Elements already integrates with many static application security testing (SAST), dynamic application security testing (DAST), and software composition analyst (SCA) tools.

New in SD Elements 2022.3 is an integration with Micro Focus Fortify on Demand, a cloud-based security-as-a-service solution from Micro Focus that can quickly scan, assess, and report on the security of applications.

Mapping test results from Micro Focus Fortify on Demand back to required threat countermeasures and security controls in SD Elements to verify that security requirements have been met can be a manual, time-consuming process. And receiving results from testing tools late in the software development process can lead to unwelcome surprises and delayed release cycles.

However, the new SD Elements Micro Focus Fortify on Demand integration enables application security and software development teams who use both SD Elements and Micro Focus Fortify on Demand to automatically view application security assessment results from Fortify on Demand within SD Elements, as well as verify security requirements identified and tracked by SD Elements based on Fortify on Demand assessment results. Findings from Fortify on Demand assessments are automatically retrieved and mapped to security requirements within SD Elements.

Note: SD Elements already integrates with many other  Micro Focus products, including Micro Focus Application Lifecycle Management (ALM), Micro Focus Fortify Software Security Center, Micro Focus Fortify Webinspect, and  Micro Focus Fortify Static Code Analyzer.

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2022.3 for Terraform (IaC) and the PCI Software Security Framework (SSF). For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass Training Curriculum.  (If you do not currently have a JITT subscription and would like to learn more, please contact Customer Success.)

New eLearning Courses

The following Security Compass eLearning courses are also now available:

  • OWASP Top 10 (2021)
  • OAuth Security Fundamentals
  • Defending Terraform
  • PCI SSF Compliance

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamental and best practices, visit www.securitycompass.com/training/.

Learn More

The new SD Elements 2022.3 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

  • Continuously model threats at scale
  • Proactively write code that significantly reduces risks and remediation costs
  • Demonstrate compliance with secure software development standards more easily
  • Accelerate software time to market

If you are a current SD Elements customer, watch the SD Elements 2022.3 Release Overview video or reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2022.3 Release Update appeared first on Security Compass.

]]>