With decades of experience in application security, ServiceMax does not believe in complexity and adding significant friction to existing development practices and build pipelines. We are leveraging industry accepted secure development practices and have built an SDL framework that is easy to follow and which Developers and Engineers in the SaaS industry are familiar with.
Although these phases are not meant to act as a gating mechanism, since we do not believe in such an approach, they are rather logical segmentation of critical aspects of what composes the SDL. The following are just some of the more critical aspects or functions of the SDL supported by one or more of the phases above.
Developer Security Training – Ongoing courses provided to developers in order to improve their understanding of techniques for identifying and mitigating security vulnerabilities. Training will focus on topics including threat modeling, DAST testing, and coding techniques to prevent common defects such as SQL injection.
Design/Architecture Review – A collaborative effort between the Development/Engineering teams and Cyber Security to assess and develop application or service design patterns that mitigate risk to the platform and associated applications and services. Both Security and Privacy factors into the overall design of our products.
Threat Modeling – A structured approach for analyzing the security of an application, with special consideration for boundaries between logical system components, which often communicate across one or more networks.
Security User Stories / Security Requirements – A description of functional and non-functional attributes of a software product and its environment which must be in place to prevent security vulnerabilities and mitigate against factors that threaten Privacy. Security user stories are written in the style of a functional user story, as it would be entered into an Agile-oriented tool like Jira.
Automated Dynamic Application Security Testing (DAST) – A process of testing an application or software product in an operating state, implemented by a web application security scanner.
Automated Static Application Security Testing (SAST) – A process of testing an application or software product in a non-operating state, analyzing the source code for common security vulnerabilities.
Open Source Software Security Testing (OSS) – A process of testing an application or software product for opensource security vulnerabilities.
Penetration Testing – Hands-on security testing of a runtime system. This sort of testing uncovers more complex security flaws that may not be caught by DAST or SAST tools.
Continuous Risk Assessment – A means to identify and manage risk during the system build or product development lifecycle.