Lean Application Security is a lean process model for integrating security into the software development process. It aims for the development of secure applications and systems from the ground up without disrupting the project flow and complicating the project result.
Lean Application Security integrates seamlessly into modern agile development models and DevOps processes.
Features of Lean Application Security
Every project is different. Project structure, timeline, maturity level, protection requirements, technology stack, budget and much more are important factors to consider when selecting the type and scope of measures and tools.
We automate wherever it is possible and useful. We emphasize that the development process is not complicated and that the technical process chain is not exposed to any risk of disruption.
Our consultation aims at letting the services provided have an effect beyond the respective project. The maturity level of the organizational unit or the entire organization increases with every assignment.
Our basic principle: Security must not be an end in itself!
Security efforts during software development cling to the stigma of increasing costs, disrupting the project flow, and complicating the project outcome. In many cases, therefore, security is given a correspondingly low priority within a software project. The result is a low security level with the associated high risk over the entire lifecycle of an application.
Our consulting concept aims to avoid these obstacles in the first place. It has been shown that an uncompromising orientation of the security measures towards the criteria of cost reduction and acceptance represents a sustainable basis for achieving this goal:
- The level of security must lead to a cost reduction in the overall view.
- The type, scope and implementation of security activities and measures are motivated in such a way that they are accepted by all project participants.
From these key requirements we derive our Lean Application Security process model for software projects for the development of inherently secure applications and the automation of the technical process chain.
Lean Application Security Overview
Application security is anchored in a way that embraces and supports the entire development process.
Kick-off: The first trim happens in a workshop
The initial inventory with key stakeholders provides the basis for everything else ♦ What phase is the project in? ♦ How is the risk situation assessed? ♦ What level of security maturity does the team have? ♦ Presentation of the organizational framework on the customer side (e.g. development procedure, budget situation, stakeholders) ♦ Technical setup (e.g. technology stack, embedding in system landscape).
Factors that influence the nature and extent of this initial step include:
- Has a risk/threat analysis been carried out?
- Does a security concept exist?
- Which compliance and security requirements exist in-house?
With the result of the kick-off, we are in a position to pre-qualify the potential approaches from the range of activities for the establishment of security and to present them to the project. In a joint working round, the benefits, applicability, consequences for project implementation and costs are discussed and a qualified decision is made regarding the type and scope of implementation. A binding assessment of the extent of our support can already be made at this stage.
In those cases where a sufficient information base has not yet been established, clarity can be achieved through a preliminary risk analysis and/or architectural analysis. This is usually the case if
- the threat situation is not yet sufficiently clear to the client
- the dependency of security on being embedded in a complex system environment is not manageable
- or the project is already in an advanced state.
The toolkit: Individually adaptable and combinable modules
Our Lean Application Security procedure consists of the following modules. The modules used are individually tailored to the project. They are largely independent of and can be combined with each other.
Identification of risks using standardised threat modelling procedures. Enables measures to be reduced to the necessary extent.
Determines the dependencies to the surrounding system landscape that are essential for the security of the application.
Maximum efficiency and repeatability of security tests are guaranteed by selecting and integrating suitable (open source) tools into the process chain.
Establishment of the team-internal manual code review for security as a natural part of the development process.
Application security and secure coding trainings are highly effective measures in the quest for securely developed applications.
This easy-to-use module monitors the third-party components involved and alerts you immediately if weak points become known.
Manual penetration tests at major milestones form the last important security gateway before the launch.
The SEP (Security-Expert-in-Project) is available as a permanent contact person and can act operationally in the project to any scalable extent.
Applications in production are always exposed to attack attempts. Smart monitoring warns as soon as an attempt is likely to be successful for the attacker.
The broad field of application security is rich in other smaller or larger measures to increase security.
Key strategy: automation and storage of knowledge
Wherever possible, we align the implementation of the measures in such a way that they have a lasting effect that goes beyond their immediate use. We achieve this through automation and the permanent provision of knowledge.
Just as with classical quality assurance, extensive testing must accompany the development of security. The creation of a high degree of automation not only leads to a maximization of efficiency, but also to the reusability of the tools and processes provided for subsequent projects.
Provision of knowledge
- Secure Coding Guidelines can be derived from the work results – tailored to the company requirements and the technology stack used.
- Compliance with the guidelines can be checked automatically by rules, depending on the tool used.
- The principle of anchoring security measures in the architecture means that these follow-up projects, which are based on the same architecture, are automatically provided with the same measures.