We support projects and organizations in implementing application security with our Lean Application Security approach.

 

Lean Application Security is a lean process model for integrating security into the software development process. It aims for the development of secure applications and systems from the ground up without disrupting the project flow and complicating the project result.

 

Lean Application Security integrates seamlessly into modern agile development models and DevOps processes.

Features of Lean Application Security

Tailored

Every project is different. Project structure, timeline, maturity level, protection requirements, technology stack, budget and much more are important factors to consider when selecting the type and scope of measures and tools.

Efficient

We automate wherever it is possible and useful. We emphasize that the development process is not complicated and that the technical process chain is not exposed to any risk of disruption.

Sustainable

Our consultation aims at letting the services provided have an effect beyond the respective project. The maturity level of the organizational unit or the entire organization increases with every assignment.

Our basic principle: Security must not be an end in itself!

 

Security efforts during software development cling to the stigma of increasing costs, disrupting the project flow, and complicating the project outcome. In many cases, therefore, security is given a correspondingly low priority within a software project. The result is a low security level with the associated high risk over the entire lifecycle of an application.

Our consulting concept aims to avoid these obstacles in the first place. It has been shown that an uncompromising orientation of the security measures towards the criteria of cost reduction and acceptance represents a sustainable basis for achieving this goal:

  • The level of security must lead to a cost reduction in the overall view.
  • The type, scope and implementation of security activities and measures are motivated in such a way that they are accepted by all project participants.

From these key requirements we derive our Lean Application Security process model for software projects for the development of inherently secure applications and the automation of the technical process chain.

 

Lean Application Security Overview

Lean Application Security

Application security is anchored in a way that embraces and supports the entire development process.

Kick-off: The first trim happens in a workshop

The initial inventory with key stakeholders provides the basis for everything else ♦ What phase is the project in? ♦ How is the risk situation assessed? ♦ What level of security maturity does the team have? ♦ Presentation of the organizational framework on the customer side (e.g. development procedure, budget situation, stakeholders) ♦ Technical setup (e.g. technology stack, embedding in system landscape).

Factors that influence the nature and extent of this initial step include:

  • Has a risk/threat analysis been carried out?
  • Does a security concept exist?
  • Which compliance and security requirements exist in-house?

Result

With the result of the kick-off, we are in a position to pre-qualify the potential approaches from the range of activities for the establishment of security and to present them to the project. In a joint working round, the benefits, applicability, consequences for project implementation and costs are discussed and a qualified decision is made regarding the type and scope of implementation. A binding assessment of the extent of our support can already be made at this stage.

In those cases where a sufficient information base has not yet been established, clarity can be achieved through a preliminary risk analysis and/or architectural analysis. This is usually the case if 

  • the threat situation is not yet sufficiently clear to the client
  • the dependency of security on being embedded in a complex system environment is not manageable
  • or the project is already in an advanced state.

The toolkit: Individually adaptable and combinable modules

Our Lean Application Security procedure consists of the following modules. The modules used are individually tailored to the project. They are largely independent of and can be combined with each other.

Key strategy: automation and storage of knowledge

Wherever possible, we align the implementation of the measures in such a way that they have a lasting effect that goes beyond their immediate use. We achieve this through automation and the permanent provision of knowledge.