Creating and implementing a secure application development process can be challenging. There are so many project-specific vulnerabilities and requirements that make it hard to cover everything at the outset. Many organizations try to identify security defects early on with code scanning (i.e., Static Analysis Security Testing or SAST). Their goal is to catch and fix security errors before releasing their software. However, one of the challenges that organizations experience is managing the results delivered by SAST/DAST tools. The often unreliable results produced by code scanners can limit organizations’ ability to scale their programs to a large number of applications.
The Problem with Scanners
A major financial institution experienced this problem first-hand while onboarding applications into their SAST program. They found themselves struggling to manage a large number of scanner results. The scanners often missed critical issues and produced false alarms. Also, having limited availability of people with the necessary skills made it difficult to keep up with the amount of work. A single employee could only onboard 111 applications into the program per year, which meant that scaling the program would tie up valuable resources. In general, it was difficult for them to streamline and integrate their application security process with an agile development workflow.
Scaling Threat Modeling Activities is Hard
When this major financial institution began creating a threat modeling program, they wanted the activity to scale to a large number of applications, without all the overhead and unanticipated work that they experienced with their SAST program.
To onboard applications faster, the organization adopted and implemented SD Elements. This platform enabled automated threat modeling and built security requirements into their application security program. A single employee was able to onboard 240 applications in 4 months (while only spending half of their time on it). The initial run was so successful that they eventually onboarded 1500 high-risk applications and made it part of their standard development process. SD Elements scaled over 12x faster than their static analysis program.
About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/