In today’s software projects the topic “security” is unfortunately too often either not understood at all or only seen as a “secondary problem”. A “pentest at the end” is a widely used approach. Some projects also rely on the unadapted use of so-called security “quick wins” (security libraries and/or freely downloadable secure coding guidelines), which may be better than nothing at the first glance, but in practice it is often too ineffective and/or inaccurate. That insight often leads to a defensive attitude amongst developers, since it is perceived as an annoying, toothless “paper tiger”.
In addition to that, changes to functional or non-functional requirements, code modifications, adjustments to project dependencies and the use of modern procedure models (such as agility) quickly lead to a significant increase in complexity. As a result, security in the early stages of development often falls by the wayside. This decay can be counteracted by adapting any requirements, such as the use of security libraries and secure coding guidelines, to the respective threat, technology and development environment.
We can take care of this for you or provide assistance to your experts!
We assist you:
in coordination with the client, we:
- analyse the development process with the currently used technology stack (also as part of a workshop)
- perform a short threat assessment as part of a small workshop with the client (if not already done)
- derive corresponding and fitting measures and concrete implementation recommendations
- create individually customized Secure Coding Guidelines for your environment on the basis of the obtained information and give recommendations for appropriate Security Libraries
- transfer the guidelines into a format that is familiar and accepted by the developers (standalone document, Wiki, etc.)
See also:
- Threat Modelling
- Security Architecture Workshops
- Agile Security & Secure DevOps
- Case Study: Secure Coding Guidelines as Part of the Security Requirements
Additional information:
Our Lean Application Security approach to developing secure applications from the ground up, seamlessly integrating with modern agile development models and DevOps processes.
