We’ve put together a framework based on the OWASP Security Assurance Maturity Model and some of its user-contributed checklists to perform a security assessment on an organization’s SDLC. The intent here is not to find specific flaws in an application, but rather to measure the level of security baked into the process. Today, this kind of assessment is often performed courtesy of the professional judgment of an application security expert without consistency. We wanted to make a repeatable, systematic process framed in the language of controls auditing. Ideally, organizations will be able to assess a potential software vendor’s SDLC security posture prior to purchasing commercial-off-the-shelf or custom-developed software. We’ve successfully used this framework in the past to identify gaps and provide recommendations for independent software vendors. Please let us know your thoughts by sending feedback to email@example.com. We look forward to hearing from you!
Equilibrium Conference | June 24, 2021. Virtually Meet DevSecOps Leaders & ProfessionalsRegister Now
Most Recent Articles
Last month, the Biden administration signed an Executive Order to improve cybersecurity. One aim of the new order is to regulate what the government considers reasonable security practices.
Cybersecurity training programs for developers help build a culture of security in your organization as well as raise awareness about secure coding best practices.
Learn about the latest cybersecurity threats to the financial sector and the importance of implementing new tech with an approach of security by design.
After years of anticipation, the NIST SP 800-53 Rev. 5 was released in 2020. Let's learn how federal information systems can ensure compliance with these security controls.
What does it take to grow the next generation of cybersecurity consultants? Manny Mand discusses his cybersecurity journey and role at Hackers for Change.
Containers are transforming how businesses deploy and use applications. Find out how you can defend your business against common container security risks.
When penetration testing in Agile, yearly is not enough. Learn how continuous penetration testing leads to cost savings, time savings, and more secure software.
SD Elements is now available in the U.S. DoD Platform One Iron Bank repository which contains authorized container images hardened to the department’s exacting specifications.
What secures (or fails to secure) your business does not depend on written policies. It depends on what your development team is doing day in and day out.
Your security and development teams should know how to identify and mitigate TOCTOU vulnerabilities. Learn why, and learn how, to test for them in this new book.
A conversation with Steven Patterson about his eBook, which teaches red team testing professionals how to start building Command and Control tools in C++.
In our survey, we found a rising trend toward the adoption of DevSecOps over the last year.
Last year was challenging, but it also presented a great opportunity for organizations to address cybersecurity in scalable ways. Let's learn where security is headed in 2021.
To stay secure while embracing the cloud, your organization will need a security program that takes into account the differences between cloud and traditional security.
2020 upended security strategies and IT roadmaps. Our team identified five cybersecurity trends that will influence security and business priorities moving ahead.
CMMC is a means of unifying cybersecurity standards for the U.S. Department of Defense. Learn how you can achieve compliance with this new standard.
Learn how penetration testing can help healthcare providers resist attacks from Ryuk Ransomware, keep patient records secure, and provide uninterrupted care.
Attackers are following the trajectory of software development and have their eyes on APIs. Regularly testing the security of your APIs reduces your risk.
Security testing has increased considerably over the past decade. But are vulnerability scanners enough to ensure software security?
Ask these five questions to find a penetration testing provider that both satisfies your technical needs and works in harmony with your business.