	
	
		Requirements
		Design
		Implementation
		Verification
		Release
	

	
		Training
		Consulting
		Products	
		

Secure Design Solutions

Security Innovation offers multiple offerings at the design phase, including:

Attack Surface Analysis
Attack Surface Reduction
Design Review
Threat Modeling
TeamMentor Guidance System
Training - Architecting Secure Solutions

Attack Surface Analysis (ASA) and Attack Surface Reduction (ASR)
Attack Surface Analysis and Attack Surface Reduction involve breaking down your code into “attack surfaces” and then reducing the exposed attack surface (which lowers the chances of an attacker exploiting one of these defects.) An “attack surface” is simply the aggregation of code, interfaces, services, and protocols that are exposed to users. Once the attack surface has been determined, the goal is to reduce it to an acceptable level.

Code whose attack surface cannot be reduced to an acceptable level will need even more scrutiny to ensure extremely high-quality. The advantage of this analysis is that it identifies code that needs more thorough inspection instead of assuming all code needs the same level of inspection. The results of our ASR service will determine:

the set of critical features
who needs to have access to what
what privileges the code needs to accomplish its goal

Applications that are not subjected to ASA/ASR are released with extraneous features that may contain vulnerabilities. When exploits are released for these vulnerabilities, the damage may be worse than what it could be after an ASA/ASR, because the code grants access and privileges to a wider population than necessary.

Design Review
The purpose of a design review is to discover and recommend remediation for design-level vulnerabilities. One of the benefits of a design review is that it identifies potential problems in the as-designed or as-implemented system architecture. The Security Innovation Design Review provides an analysis of the application architecture and structure from a security standpoint, and provides the necessary feedback for the architects to adjust the design as necessary for maximum security and usability.

The result of the design review is a collection of recommendations to secure the product and features defined, delivered as a report and presented to the architecture team. The Design Review also helps guide test planning activities, as it helps the development team identify weak or vulnerable areas in the application architecture.

Threat Modeling
Of all the activities performed throughout the SDL, threat modeling may have the single greatest impact. Performed early in the lifecycle, it will identify security flaws before code is ever committed, thus reaping cost savings through early detection.

Threat modeling examines your application and/or its environment from a high-level perspective and identifies the most critical risks in to-be-developed software. This enables development, IT and management teams to make more informed security decisions throughout the development lifecycle. Threat modeling will establish security dependencies and interdependencies that help you determine how to combine your defenses to achieve a more cost-effective strategy and eliminate ineffective mitigation techniques.

Security Innovation has the security and secure development expertise to produce highly accurate and effective threat models regardless of your environment. Once the threat model is complete, it can be used to review the design or code, to test the application for the presence of threats and vulnerabilities and to ensure the application is constructed in such a way to protect against the array of most likely and most damaging threats.

TeamMentor - Secure Coding Guidance System
TeamMentor™ is a sophisticated application security guidance system that delivers the collected experience of Security Innovation engineering to development teams of all sizes. In Wiki-like format, it provides on-demand, task-based collections of secure design and development knowledge, guidance and libraries to specific practitioners at the appropriate lifecycle phase - helping the entire team build more secure applications.

Training

Architecting Secure Solutions.
This course discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development.

Financial Services Technology Retail Health Care Government Entertainment Private Equity

Vulnerability Analysis Training Software Security Risk

Overview TeamMentor eLearning Holodeck Checkmarx

About Us Newsroom Events Careers

Overview Authored Books Whitepapers Published Articles Webcasts Data Sheets 19 Software Attacks