Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Lean Application

Lean Application Security

Lean Application Security is a streamlined approach to integrating security into the software development process. It aims to develop inherently secure applications and systems without disrupting the project flow or complicating the project outcome.

‍Lean Application Security seamlessly integrates into modern agile development models and DevOps processes.

We support projects and organizations in implementing application security with our Lean Application Security approach.

Tailored Solutions

Every project is unique. Project structure, timeline, maturity level, protection requirements, technology stack, budget, and much more are important factors to consider when selecting the type and scope of measures and tools.

Efficient

We automate wherever possible and sensible. We attach great importance to ensuring that the development process is not complicated and that the technical process chain is not exposed to any disruption risks.

Sustainable

Our consulting aims to ensure that the services provided have an impact beyond the respective project. With each engagement, the maturity level of the organizational unit or the entire organization increases.

Lean Application Security at a Glance

Offer

Security efforts during software development are often stigmatized as increasing costs, disrupting the project flow, and complicating the project outcome. As a result, security is often given a correspondingly low priority within a software project.

Our consulting concept aims to avoid these obstacles from the outset.

Kick-off: The initial tailoring takes place in a workshop

The initial assessment with key stakeholders provides the basis for everything else:

  • In which phase is the project?
  • How is the risk situation assessed?
  • What is the team's security maturity level?
  • Presentation of the organizational framework on the customer side (e.g. development process, budget situation, stakeholders)
  • Technical setup (e.g. technology stack, integration into system landscape)

 

The factors that influence the type and scope of this initial step include:

  • Has a risk/threat analysis been carried out?
  • Does a security concept exist?
  • What compliance and security requirements exist internally?

Result

Information

Based on the kick-off meeting's outcome, we can pre-qualify potentially suitable approaches from the spectrum of security activities and present them to the project.

In a joint working session, we will discuss benefits, applicability, consequences for project execution, and costs, and make a qualified decision regarding the type and scope of implementation. A binding estimate of the extent of our support can already be made at this point.

In cases where a sufficient information base does not yet exist, clarity can be achieved through a preliminary risk analysis and/or architecture analysis. This is usually the case when:

  • the client is not yet sufficiently aware of the threat situation
  • the dependence of security on its integration into a complex system environment is not readily apparent
  • or the project is already in an advanced state.

The modular system: Individually adaptable and combinable modules

Module: Risk Analysis

Identification of risks using standardized threat modeling techniques. Enables measures to be reduced to the necessary scope.

Module: Architecture Analysis

Determines the dependencies on the surrounding system landscape that are essential for application security.

Module: Training Courses

Application Security and Secure Coding training courses are considered a highly effective measure in the pursuit of securely developed applications.

Module: Patch Processes

This easy-to-use module monitors the integrated third-party components and immediately alerts you when vulnerabilities become known.

Module: Penetration Tests

Manual penetration tests at major milestones form the crucial final security gateway before going live.

Module: Expert Support

The SEP (Security-Expert-in-Project) is available as a permanent contact person and can operate operatively in the project to any scalable extent.

Module: Monitoring

Applications in production are constantly exposed to attack attempts. Intelligent monitoring warns as soon as an attempt becomes promising for the attacker.

Module: Further Measures

The broad field of application security is rich in other smaller or larger measures to increase security.

Key strategy: Automation and knowledge retention

Wherever feasible, we align the implementation of measures to achieve a lasting impact that extends beyond the immediate application. We accomplish this through automation and the sustained availability of knowledge.

Automation

Similar to traditional quality assurance, security requires extensive testing throughout the development process. Achieving a high degree of automation not only maximizes efficiency but also ensures the reusability of the provided tools and processes for subsequent projects.

Knowledge Retention

  • Secure Coding Guidelines can be derived from the work results, tailored to the company's requirements and the technology stack used.
  • Depending on the tool used, compliance with the guidelines can be automatically checked by rules.
  • The principle of anchoring security measures in the architecture ensures that subsequent projects building on the same architecture automatically benefit from them.

Dr. Bastian Braun

Take the first step and get in touch with me.

E-mail

mgm DeepDive

mgm ATLAS

mgm ATLAS is the efficient integration of automated tests into development processes. It optimally complements our Lean Application Security approach with a streamlined and scalable testing platform.

About mgm ATLAS

 

Security is increasingly becoming a central quality characteristic of software products. However, addressing it in the traditional way – i.e., by focusing on security tests at the end of milestones – almost inevitably leads to serious impacts on time and budget frameworks.