Building secure software necessitates a holistic approach to security, which includes bringing “secure by design” principles to life. The industry recognizes the benefits of performing threat modeling throughout the software development lifecycle(SDLC). Amid rising concerns about cyberattacks,industry and government organizations have been promoting more widespread adoption and offering guidelines to establish and mature threat modeling programs.
At Security Compass, we are committed to helping our customers mitigate cyber security risks at scale by automating threat modeling. We are making continuous investments in our SD Elements platform to enable a developer-centric approach to threat modeling. Developer-centric threat modeling prioritizes the speed of software development without compromising the security and compliance required to release. It shifts security ownership from siloed security teams to a collaborative approach that is easier for development teams to understand and support. Developer-centric threat modeling makes it easier for key stakeholders, especially developers, to contribute to building secure and compliant software early and often.
To that end, we are excited to share what’s coming in the SD Elements 2022.2 release, which will become generally available (GA) on July 9th. (Current SD Elements customers can preview the release on their CD instance as of June 24th, two weeks before GA.)
This release executes the plan we shared with you in March 2022 to move to a quarterly release cadence so that you can benefit from more robust and predictable releases.
What’s New In the SD Elements 2022.2 Release?
Threat Model Diagrams
Threat model diagrams play an essential role in identifying, understanding, and communicating threats among development and security teams. A lack of consistency in diagramming can lead to ineffective communication and hamper collaboration between teams. In fact, in our 2021 report on the state of threat modeling, 43% of respondents cited a lack of consistency as a key challenge their companies face as they conduct threat modeling.
In SD Elements 2022.2, new automated threat model diagrams help drive standardization across teams and simplify the task of creating threat models, especially for users with limited security knowledge. SD Elements automatically places architectural components into a diagram based on selections made in the survey. The automation from survey to diagram ensures consistency in the graphical representation of components across projects and augments the survey by identifying and communicating threats effectively to stakeholders.
Threat model diagram in SD Elements
How It Works
Upon completion of the Survey, users have the option to generate a diagram for the project. The diagram feature complements the survey and helps users identify, understand, and communicate threats among software teams, security teams, and non-security stakeholders. SD Elements automatically places the architectural components previously selected in the survey on the diagram. Users can then improve the diagram by adding or editing components, labels, zones, and data flows between components. Users can also choose to generate a diagram for each project release.
As organizations adopt microservices or multi-component software development approaches, securing independent, distributed, and modular services can challenge development, security, and operations teams. Identifying the properties of these services or components, understanding the flaws and threats, and managing the appropriate threat countermeasures can be daunting.
Reusable components in SD Elements allow users to model multi-component software applications effectively. The team that owns or is responsible for the service or component can now specify the controls that are already addressed and any additional controls to be implemented. A component can be an internal service that provides critical functionality such as authentication, authorization, and encryption on databases, infrastructures, or third-party libraries. It can also be non-technical components relating to policies and regulations.
By using reusable components, development teams can take advantage of controls that are already implemented in the components and focus their attention on implementing relevant tasks for the part of the software they are developing. This feature helps increase productivity as teams can build, segregate, and reuse trusted components to build complex multi-component software products. It also helps improve overall software security and facilitates faster product releases.
How It Works
A new object called components is now included in the SD Elements Library. Customers can leverage pre-built reusable components and create, edit, and delete custom components.
Once a component is activated in the library, the component can be added to projects. Selecting a component’s mapped answer in the survey adds the component to the project without requiring any additional action from the users. When a component is added to a project, overlapping tasks that are in the component’s Mark as Complete list and tasks that are relevant in the project will be automatically updated to the Complete status. Tasks in the Mark as incomplete list will be added if they are not already in the project task list. If the task exists, the status gets updated to Incomplete. This automation saves the team working on the project from repeatedly validating the completion of these redundant tasks.
Custom Component setup
Custom Component placement in the survey
Gaining buy-in from internal stakeholders is difficult without supporting data that demonstrates current and potential software security and compliance issues in your portfolio and the progress of your security program.
SD Elements’ new advanced reporting capabilities gives users the power to answer the “data need of the hour” by quickly creating custom reports or by starting with pre-built report templates. Need to know the most prevalent threats and weaknesses across your portfolio? Or the status of compliance with a particular risk policy across projects? You can now find the answers faster than ever before. Our new reporting capabilities empower users to dive into the real-time status of software security and compliance across your portfolio and share data analyses in visual and easy-to-interpret format across different functions or departments. Sample reports are also available to allow teams to quickly export and integrate SD Elements data into external reporting systems.
Pre-built report templates
Custom report with data visualization
How It Works
In advanced reports, users can select dimensions or attributes from various objects such as applications, problems, tasks, and components. Examples of attributes users can analyze are application name, application risk compliance status, and task status. Users can then select the measures or qualitative metrics, such as task count and project compliance count, by which the dimensions will be tallied or summarized. Filtering of dimensions is available to narrow down the results, which can be visualized in table, number, pie chart, or bar chart.
Other New Product Content
Updates to the Content Library in SD Elements 2022.2 include:
- Support for infrastructure as code (IaC) security: IaC automates the provisioning, configuration, and management of infrastructure through formatted, machine-readable files or templates. SD Elements now equips developers and DevOps teams with the knowledge to securely use Terraform tools to automate the provisioning, configuring, and management of infrastructure when they need it. These security recommendations are offered in the form of tasks and just-in-time training (JITT) modules.
- NIST Secure Software Development Framework (SSDF) support: The President’s Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. In response, NIST has revised the SSDF to enable software producers, such as commercial-off-the-shelf (COTS) product vendors, government-off-the-shelf (GOTS) software developers, contractors, and other custom software developers, to follow the recommended actions or outcomes in secure software development practices to meet the objectives of EO 14028.SD Elements helps you incorporate SSDF guidelines (NIST SP 800-218) into your software development lifecycle to enhance the security and integrity of the software supply chain. Our platform also provides evidence of completion of the recommended controls in the NIST SP 800-218.
- The California Privacy Rights Act of 2020 (CPRA): The California Privacy Rights Act (CPRA) applies to businesses that:
- Have annual revenue of 25 million dollars or higher, or
- Process the personal information of 100K or more California residents/devices, or
- Derive 50% of their revenue from Californians’ personal information.
CPRA will take effect on January 1, 2023. CPRA amends and enhances California Consumer Privacy Act (CCPA). The new content in SDElements provides guidelines for compliance with CPRA in the form of additional requirements based on the California Civil Code for consumer privacy. A new compliance report that maps privacy tasks to California Civil Code (CPRA and CCPA) is also now available in 2022.2.Developers and privacy officers of any company with the above characteristics will benefit from the new content in SDElements.
- Privacy content and privacy score improvements: We clarified the role of the different personas (for example, controllers, processors) and the required evidence of completion for the different tasks for all privacy content in the SD Elements content library. We also revised and reviewed the task score of the relevant privacy tasks based on a Security Compass-defined framework.
Integration with Black Duck® Software Composition Analysis
Forrester reports that 75% of all code bases consist of open-source code. Millions of open source projects are available online in code repositories and are stacked upon to build modern development pipelines, which can create a myriad of security issues.
To this end, we’ve expanded our integration ecosystem by adding an integration with Black Duck® software composition analysis (SCA) tool powered by Synopsis. Through this automated integration, SD Elements simplifies the validation of security control implementation for security and software development teams to help minimize risks associated with open source and other third-party software.
How It Works
This new integration allows SD Elements users to integrate with their Black Duck instance, allowing them to request a scan within SD Elements manually and/or on a scheduled basis. A scan request from a project in SD Elements triggers an API call to Black Duck to retrieve the latest scan results pertinent to the project. Scan results are then automatically synced and mapped to the project tasks generated by SD Elements related to open-source/third-party libraries. At any time, SD Elements users can review the total number of vulnerabilities found in all components and break them down by severity status. To access details of vulnerabilities found, the results reference a link to redirect users to results within Black Duck.
Results of Black Duck integration in SD Elements
New Just-in-Time Training
Just-in-time training micromodules in SD Elements 2022.2 allows users to receive bite-sized chunks of highly relevant security training without disrupting their workflow. These micromodules have been mapped to the built-in SDE tasks and can be delivered direction within issues sent to issue trackers.
In the SD Elements 2022.2 release, 114 new just-in-time training micromodules have been added to SD Elements, covering topics such as OWASP Top 10 2021, Defending Angular, OAuth, and OpSec Fundamentals. As a result, SD Elements has over 600 micromodules that cover a wide variety of secure coding, secure design, cloud, and compliance topics.
To learn more about the newest capabilities of SD Elements, register for our webinar on Tuesday, June 28th, at 1pm EDT. See a demo of these new features and ask the product experts all of your questions. Reserve your spot today!