Identify and Mitigate Software Threats Faster with New SD Elements Threat Modeling and Advanced Reporting Capabilities
At Security Compass, we continue to enhance our SD Elements developer-centric threat modeling platform.
We designed SD Elements to use a developer-centric software threat modeling process so software teams can quickly take an automated approach to threat modeling right at the beginning of their development cycle — without requiring the expertise of a security expert. Organizations with dedicated application security teams also benefit from the SD Elements automated, developer-centric threat modeling approach, because it frees up application security experts from the more tedious and manual aspects of threat modeling. They can instead focus on more sophisticated attacks and threats, as well as focus on scaling software threat modeling, secure development, and compliance best practices across their organization’s entire software portfolio.
New features now available in SD Elements 2022.3 make it easier than ever before for software developers to see software (application) security threats, where they exist, and exactly where to implement countermeasures to mitigate the threats. New dashboards enable application security teams to identify the most prevalent threats and weaknesses across the organization’s software portfolio, as well as perform in-depth analyses of their software security and compliance posture both per-project as well as across their entire software (or application) portfolio. New and updated security content, just-in-time training modules, and eLearning courses demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging, as well as existing, application security threats.
These new capabilities in SD Elements help software development and application security teams:
- Improve collaboration between security, software development, hardware engineering, and DevOps teams
- Improve developer productivity
- Obtain visibility into the security and compliance state of software across an organization’s entire software portfolio
- Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations
Updated Threat Model Diagrams & Terminology
When a software (or application) threat is identified, just knowing what the threat is isn’t enough. Software development and application security teams need to know not just what the threat is, but where the threat is and the remediation priority, as well as where and how to implement required countermeasures. However, since most software developers are not experts in threat modeling and software security, identifying and prioritizing threats and knowing where they reside and how to implement appropriate countermeasures based on industry best practices can be challenging. Application security experts can help, but in most organizations, application security experts are spread thin, making it hard for software developers to know exactly what they need to do in order to properly remediate software threats as a part of their development workflow.
By surfacing threats directly in threat model diagrams, SD Elements now makes it easier than ever before for developers to understand where threats reside so they can better understand not only the threat itself, but also the countermeasures they need to implement to remediate the threat. Since SD Elements surfaces threats directly in threat model diagrams, application security and software development teams can now quickly see threats specific to the project and its components displayed in a side panel on the diagram canvas, as well as review the threats on a new Threats list page specific to the project. These new capabilities help software development and application security teams better understand not only where the threat exists, but also where the countermeasure should be applied.
In addition, the default language used for threat modeling in SD Elements 2022.3 has also been updated to align more closely with language used in the software security industry. For example, instead of “Problems” and “Tasks,” the default language in SD Elements is now “Threats,” “Weaknesses,” and “Countermeasures” (“Weaknesses” replaces “Problems,” and “Countermeasures” replaces “Tasks”).
“Problems” and “Tasks” terminology in SD Elements prior to SD Elements 2022.3
New “Threats,” and “Weakness,” and “Countermeasures” in SD Elements 2022.3
This change means SD Elements now uses language that is more relevant to both security and software development teams, and will make it easier for teams to collaborate, measure, and report on the success of their threat modeling programs.
New Customizable Dashboards
Releasing vulnerable software can negatively impact brand reputation, customer trust, and an organization’s bottom line. Business leaders and the board understand the importance of managing application security risk. However, software development and application security leaders often struggle to articulate how their software threat modeling and secure development activities measurably reduce business risk.
Teams can spend hours trying to manually compile the threat, security, and compliance data from multiple sources. Aggregating data and massaging it into reports that show the maturity and effectiveness of an application’s security profile to business executives and the board can take hours or days more. And time spent manually compiling and generating reports means less time spent building new product capabilities, further hardening application security, and addressing technical debt.
SD Elements Advanced Reporting makes complex threat, countermeasure, security control, and compliance data accessible and easy to digest. The new, highly configurable Advanced Reports capabilities (first released in SD Elements 2022.2), when now combined with the new customizable dashboards available in SD Elements 2022.3, make it easier than ever before for software development and application security teams to track the state of their software security program. Teams can create rich data visualizations and dashboards that identify the most prevalent threats and weaknesses across the organization’s software portfolio. Teams also have the data, reporting, and analytics capabilities they need to perform in-depth analyses of their software security and compliance posture for individual software projects, as well as across their entire software (or application) portfolio.
New Security Content
SD Elements 2022.3 also now provides the following security content library updates:
- Infrastructure as Code (IaC): SD Elements continues to enhance its support for infrastructure as code (IaC) by now providing recommended security controls (countermeasures) and guidelines (how-tos or additional requirements for tasks) for software developers working on DevSeOps teams using Ansible.
- Automotive security: For companies who develop software for the automotive industry and are concerned with cyber risks and threats associated with connected vehicles, new automotive supply chain (UNECE WP.29 / R155) security content is now available.
- U.S. federal government: For organizations who develop software for the U.S. federal government, SD Elements now provides new content for the Control Correlation Identifier (CCI) framework. For organizations who must meet U.S. federal government security requirements in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” SD Elements now provides new content for Security Measures for EO-Critical Software Use and new content for Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397), which maps the threat modeling recommended standard in NIST to verification tasks in SD Elements. Vendors who supply software to the U.S. federal government can use this report to show they are performing threat modeling according to the NIST guidelines.
New Micro Focus Fortify On Demand Integration
Vulnerability scans are a critical part of ensuring software (or application) security and compliance requirements are met. All organizations who develop software must have clear visibility into any vulnerabilities and weaknesses in their code in order to manage risk effectively.
Many organizations use security testing tools to detect and report on weaknesses in code, and SD Elements already integrates with many static application security testing (SAST), dynamic application security testing (DAST), and software composition analyst (SCA) tools.
New in SD Elements 2022.3 is an integration with Micro Focus Fortify on Demand, a cloud-based security-as-a-service solution from Micro Focus that can quickly scan, assess, and report on the security of applications.
Mapping test results from Micro Focus Fortify on Demand back to required threat countermeasures and security controls in SD Elements to verify that security requirements have been met can be a manual, time-consuming process. And receiving results from testing tools late in the software development process can lead to unwelcome surprises and delayed release cycles.
However, the new SD Elements Micro Focus Fortify on Demand integration enables application security and software development teams who use both SD Elements and Micro Focus Fortify on Demand to automatically view application security assessment results from Fortify on Demand within SD Elements, as well as verify security requirements identified and tracked by SD Elements based on Fortify on Demand assessment results. Findings from Fortify on Demand assessments are automatically retrieved and mapped to security requirements within SD Elements.
Note: SD Elements already integrates with many other Micro Focus products, including Micro Focus Application Lifecycle Management (ALM), Micro Focus Fortify Software Security Center, Micro Focus Fortify Webinspect, and Micro Focus Fortify Static Code Analyzer.
Just-in-time-training (JITT) Updates
New just-in-time training micromodules have been added in SD Elements 2022.3 for Terraform (IaC) and the PCI Software Security Framework (SSF). For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass Training Curriculum. (If you do not currently have a JITT subscription and would like to learn more, please contact Customer Success.)
New eLearning Courses
The following Security Compass eLearning courses are also now available:
- OWASP Top 10 (2021)
- OAuth Security Fundamentals
- Defending Terraform
- PCI SSF Compliance
To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamental and best practices, visit www.securitycompass.com/training/.
The new SD Elements 2022.3 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:
- Continuously model threats at scale
- Proactively write code that significantly reduces risks and remediation costs
- Demonstrate compliance with secure software development standards more easily
- Accelerate software time to market
If you are a current SD Elements customer, watch the SD Elements 2022.3 Release Overview video or reach out to your Customer Success Manager to learn more.
If you are new to SD Elements, request a demo to learn more.