Software Assurance Business
Application Assessments Performed Annually
Total Time in Months to Design & Implement
Annual Sustainment Costs
Army Medal Awarded
Average Unique Vulnerabilities Identified Monthly
The client requested help with figuring out the best method to assess web applications.
The client was a Cyber Security Service Provider. They hosted many web servers on behalf of his customer’s footprint.
The client wanted to ensure that all the web apps were secure before integrating them.
The client also worked with many various development teams that built web applications.
With no real mechanism for assessing web applications this gap was huge.
Recommendation was to design and integrate a holistic Software Assurance Business.
We Designed and Developed a Software Assurance (SwA) Business.
The new mission was to assess all web applications that are coming to the datacenter.
Software Assurance definition in industry is as follows:
To provides the level of confidence that software functions as intended…
And is free of vulnerabilities…
And that’s checked throughout the Software Development Life Cycle (SDLC).
At the time of design, there was no worldwide policy to mandated this capability.
The client leverage policies, guides, regulations, directives and other forms of documentation…
To determine how to run IT & Cybersecurity operations.
So by us telling them they had to do this… broke the mold and laid the road for proactive security.
Because of this flaw… the client missed identifying software vulnerabilities in web apps.
The services involved the following:
- Assessing web apps in production;
- Assessing web apps in development & staging;
- dynamic analysis;
- static analysis of source code;
- And Training for developers.
This not only spanned the assessment of web applications but also mobile as well.
Providing developer training was a big effort for delivering these cutting-edge services.
Training was a big effort for delivering these cutting-edge services.
Not only did we have to educate and train developers but also administrators, project managers, engineers, system owners, Information Assurance, and other leadership…
Thus we provided not only, on the spot training, but also developed a monthly battle rhythm. Group training in this environment was key.
As an added bonus, we implemented Threat Modeling too.
Threat modeling is a technique used to tear apart web apps logically.
It map the attack surface and identifies the impact and likelihood of the attack.
Threat modeling was only done on huge apps with tons of functionalities… like Amazon web app.
As you can imagine… marketing something no one ever seen before was a challenge…
Thus, we leveraged traditional marketing and digital marketing techniques to do so.
For Traditional marketing we used flyers and posters with cool graphics to grab attention… and bring awareness.
These were littered throughout the buildings and common areas.
For Digital Marketing we used Email Marketing, Content Marketing and Social Media Marketing.
We also recorded videos of walkthroughs and case studies that people really resonated to.
In the end, it was a huge success. The client received a 3 million dollar budget to sustain the business.