Introducing Continuous Threat Monitoring in SD Elements

April 29, 2014

We are excited to announce the inclusion of a major new feature in SD Elements: Email new task notification. With this new feature, clients who model an application in SD Elements will now be notified via email if there are new tasks that apply to their application. Practically speaking, this means that a client can model an application today, start building security in, and be notified 3 months later that a new software weakness or mitigation control is in scope for the application. This gives our customers an exciting capability to continuously monitor for new threats and mitigate risks immediately, instead of having to wait for a vulnerability scan / assessment.

New Task Notification

With this new feature SD Elements can help large organizations:

1) Identify pervasive software weaknesses,

2) Rapidly inform application stakeholders about new actionable security guidance,

3) Prevent future introduction of an identified weaknesses in new and existing applications.

Imagine the following scenario: A company creates a corporate framework that is responsible for handling certain kinds of sensitive data. In a large organization hundreds of applications may use this framework. When it first launches developers don’t use it consistently. In fact, after a few penetration tests the security team learns that developers are turning on the “debug option” during development and forgetting to turn it off in production. The debug option exposes an application to attackers and leaves data unsecured.

Penetration tests and broad code audits are an expensive way to identify which applications may contain a common weakness. Once an application is identified it is often difficult to determine who is responsible for updating and securing it. Even when the application owner is identified, it is a challenge to communicate a fix to developers.

Satisfy the needs of different business roles:

  • As a developer, you want to know if your project has a weakness, how to fix it, and you want to be alerted via your current processes.
  • As an application owner, you want to know if your application is affected once a weakness is identified, not weeks or months later.
  • As a security stakeholder, you want all affected parties to be alerted to this weakness and have it addressed as soon as possible. Also, future changes to applications should not introduce this weakness.
  • As a business owner, you want to move quickly to protect your brand from software weaknesses and reduce your costs.

SD Elements makes it easy to satisfy all four. As soon as a weakness has been identified an SD Elements administrator uses the intuitive web interface to perform two simple operations:

1. Create a task such as “Disable debugging option in main corporate framework config.xml” and copy the guidance a developer can use to turn off debugging in the framework.

2. Update the task’s rules to match any project that uses the corporate framework.

[caption id=”attachment_1071" align=”aligncenter” width=”582"]

Custom requirement to address weakness in corporate framework

Create custom security guidance and share with relevant projects and developers instantly[/caption]

Every owner of an application that uses the corporate framework is alerted that a potential weakness has been identified in their project. Once this task is added to the project — the new task can be assigned to a developer or synced automatically into an ALM system (JIRA, Rally, Mingle, TFS, HP Alm, Rational CLM). Once actioned, the application owner can quickly confirm that the weakness is addressed.

Previous Article
It’s Cool to Care about Security Requirements
It’s Cool to Care about Security Requirements

We at Security Compass are thrilled to be named Gartner Cool Vendor 2014 for the Application & Endpoint sec...

Next Article
Making the Business Case for a Software Security Requirements Program
Making the Business Case for a Software Security Requirements Program

Most of our customers need to justify the costs of implementing a software security requirements program wh...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!