Enhancing the Developer-centric Threat Modeling and Secure Development Experience
Product security is a value add. Embedding product security throughout the software development lifecycle (SDLC) is frequently a top down mandate within many organizations. Key drivers are the cost savings and competitive advantages as it can minimize the number of vulnerabilities once a product is in the hands of customers.
Software threat modeling and secure development are ideal solutions to help organizations address product security early in the SDLC. However, utilizing manual approaches can take weeks to months to complete and can increase the chances of misidentifying possible vulnerabilities. This adds another friction point for developers being able to hit their release goals.
Security Compass has developed SD Elements, a developer-centric, automated approach to threat modeling and secure development. SD Elements allows developers to release secure code faster by automatically identifying and prioritizing software threats, recommending countermeasures, and reducing the risk of insecure design. The time savings can be months when comparing SD Elements to traditional (manual) processes. With the release of SD Elements 2023.1, Security Compass is making security by design easier than ever before for software development and application security teams. New features now available in SD Elements 2023.1 include the ability to:
- Import threat model diagrams from Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io)
- Customize built-in reusable components
- Specify new granular permissions in advanced reporting
- Provide deeper integrations with identity providers
New and updated developer-centric security content, just-in-time training modules, and eLearning courses also demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging and existing application security threats and vulnerabilities in production.
These new capabilities in SD Elements help software development and application security teams:
- Enhance collaboration between application security and software development teams
- Improve developer productivity and deliver secure code faster
- Ensure segregation of duties and stronger access controls on data accessibility
- Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations
- Improve user onboarding and the user experience
Updated Threat Model Diagrams
Threat modeling is becoming more common as organizations recognize the risks of connecting their infrastructure and devices to the internet. Visually representing threat models through diagrams makes it easier for organizations to identify design flaws and potential vulnerabilities. However, highly sensitive data about an organization’s infrastructure and applications are present within diagrams and they must be stored in a secure, centralized location.
SD Elements now supports importing Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io) diagrams. With the new upload feature and the diagram formats it supports, SD Elements can now be the secure, centralized repository for diagrams, threats, weaknesses, and countermeasures. This release eliminates the need to store diagrams in multiple locations and allows organizations to migrate away from manual threat modeling processes to an automated, developer-centric solution.
Reusable Components Enhancements
Internal security policies, industry regulations, and privacy laws are all standards organizations must abide by. Their threat modeling solution should make this as easy as possible.
Organizations can create, customize, and reuse components to model their microservices architecture with SD Elements. However, they could not customize SD Elements built-in components prior to this release.
Organizations can now modify SD Elements built-in components to meet the specific needs of their development and application security teams. This enhancement to reusable components simplifies the work required for organizations to satisfy their internal security requirements, industry regulations, and privacy laws. It also reduces the need for security teams to create and model reusable components in SD Elements.
Advanced Reporting Enhancements
Prior to the SD Elements 2023.1 release, access to data in SD Elements could not be granted to users based on their role. Users either had access to all data or no data.
The new granular permissions in SD Elements enables limiting data access levels within advanced reporting. SD Elements administrators can now ensure users have access to only the data needed for their role. For end users, the enhancement makes it easier to generate reports as they can only see and access the data needed by their role.
Updated Identity Provider Integration
In prior versions of SD Elements, there were limitations with onboarding and managing user identities between SD Elements and an organization’s identity providers (IdP). Support for user management at the group level was also not available. For example, for a newly provisioned user to receive the same level of permissions as their team, the SD Elements administrator would have to manually grant them the proper access levels. This created a sub-optimal experience for the new employee, the employee’s manager, the IdP administrator, and the SD Elements administrator.
With the SD Elements 2023.1 release, the ability to import groups and roles from identity providers is now supported. The new functionality works with SD Element’s current Single Sign-On (SSO) authentication, extending SD Elements SAML configurations, via API, to provide the ability to map IdP groups to SD Elements group(s) and map IdP roles to SD Elements roles. This enhancement will streamline and improve the SD Elements onboarding process and the user management and the user experience. To learn more about SD Elements 35+ integrations, covering application security software, DevOps tools, infrastructure, and issue trackers, visit the SD Elements Integrations page
New Security Content
SD Elements 2023.1 now provides the following security content library updates:
- Payment Card Industry Data Security Standard (PCI-DSS) v4.0: New developer-centric recommendations and out of the box countermeasures for how to satisfy PCI-DSS v4.0 requirements
- Cybersecurity Maturity Model Certification (CMMC) 2.0: New compliance report with mapped tasks for developers to demonstrate compliance with CMMC 2.0 for Levels 1 and 2
Just-in-time-training (JITT) Updates
New just-in-time training micromodules have been added in SD Elements 2023.1 for Securing the Cloud. For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum. (If you are a current SD Elements customer, but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)
New eLearning Courses
The following Security Compass eLearning courses are now available:
- Defending Go
- Defending Typescript
- PCI-DSS v4.0
- Secure Software Acceptance and Deployment
To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamentals and best practices, visit the Application Security Training page.
The new SD Elements 2023.1 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:
- Continuously model threats at scale
- Proactively write code that significantly reduces risks and remediation costs
- Demonstrate compliance with secure software development standards more easily
- Accelerate software time to market
If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.
If you are new to SD Elements, request a demo to learn more.