	
	
		Requirements
		Design
		Implementation
		Verification
		Release
	

	
		Training
		Consulting
		Products	
		

SDL Consulting

Implementing a successful SDL program requires organizations to internalize security and create a repeatable SDL process. Our software security experts will analyze your existing SDL and identify key points within the process to integrate new or refine existing security checkpoints. This gives your development team a repeatable and effective process that incorporates security into each phase of the security development lifecycle.

Requirements Phase

Requirements Review
The Security Innovation Requirements Review scrutinizes each requirement from a security perspective and highlights areas where they will lead to exposures in the deployed product. Each is considered from an "abuse case" perspective and defines additional capabilities necessary to be secure. The result of the requirements review is a collection of recommendations to secure the product and features defined, delivered as a paper report and presented live to the requirements management team.

Design Phase

Design Review
The Security Innovation Design Review provides an analysis of the application architecture and structure from a security standpoint and provides the necessary feedback to architects so they can adjust the design as necessary for maximum security and usability. The result of the design review is a collection of recommendations to secure the product and features defined.

Attack Surface Analysis (ASA) and Attack Surface Reduction (ASR)
Attack Surface Analysis and Reduction revolve around breaking down your code into an “attack surface” and then reducing the exposed attack surface to lower the chances of an attacker exploiting one of these defects. An “attack surface” is simply the aggregation of code, interfaces, services, and protocols that are exposed to users. Once the attack surface has been determined, the goal is to reduce it to an acceptable level.

Code whose attack surface cannot be reduced to an acceptable level will need even more scrutiny to ensure extremely high-quality. The advantage of this analysis is that it identifies code that needs more thorough inspection instead of assuming all code needs the same level of inspection. The results of our ASR service will determine:

whether a feature is truly important
who needs to have access to what
what privileges the code needs to accomplish its goal

In contrast, most applications that are not subjected to ASA/ASR are released with extraneous features that may also contain vulnerabilities. Further, when exploits are released for these vulnerabilities, the damage is worse than what it could be after an ASA/ASR, because the code grants access and privileges to a wider population than necessary.

Implementation Phase

Code Review
A code review discovers implementation-level vulnerabilities introduced during construction, and recommends remediation for those coding errors. It provides an analysis of an existing codebase and locates code constructs that lead to security vulnerabilities. Our expert security team employs a combination of static analysis tools and “eyes on” manual review to uncover the highest number of flaws possible. Code reviews may be executed against applications written in C, C++, C#, VB, VB.Net, and a myriad of web technologies including Ruby, PHP, AJAX, and Perl.

The result of a code review is a detailed report outlining code issues and suggested repairs for improved security. This allows the development team to better understand the problem areas of their code and prevent common logic errors and other mistakes in the future.

Verification Phase

Test Plan Review
The Security Innovation Test Plan Review provides an analysis of the tests and techniques used to qualify the security of an application under development. The test plan is considered as a whole to determine the overall security testing capability of an organization, and each test in the plan is reviewed for its ability to uncover specific security vulnerabilities associated with the application area under test. The result of the Test Plan Review is a collection of identified missing tests or tests that are poorly implemented, and recommendations for change.

Penetration Testing/run-time verification
Penetration testing is aimed at finding and exploiting vulnerabilities that can be used to gain unauthorized access to the application, the data it processes or the underlying operating system on which each is hosted. Leveraging security testing techniques derived from our top-selling book How to Break Software Security, our security engineers will employ proprietary manual attacks and specialized tools to uncover vulnerabilities in your software.

Run-time verification is needed because some vulnerabilities don’t manifest themselves until the application is actually in an operational environment. Along with security testing we will review the threat models and compare them to the testing results and reevaluating the attack surface.

Release Phase

Deployment Assessment
The Security Innovation Deployment Assessment provides an analysis of security vulnerabilities resulting from web application and deployment technology configuration. Our security team evaluates the ASP.NET deployment environment and isolates configuration issues that lead to exposures. The result of the deployment assessment is a is a collection of identified exposures and recommendations to secure the deployment.

Financial Services Technology Retail Health Care Government Entertainment Private Equity

Vulnerability Analysis Training Software Security Risk

Overview TeamMentor eLearning Holodeck Checkmarx

About Us Newsroom Events Careers

Overview Authored Books Whitepapers Published Articles Webcasts Data Sheets 19 Software Attacks