Design & Implementation of a
Software Assurance Program
Application Assessments Performed Annually
Army Medal Awarded
Annual Sustainment Costs
Average Unique Vulnerabilities Identified Monthly
Total Time in Months to Design & Implement
The client requested help with figuring out the best method possible to assess web applications. As a Cybersecurity Service Provider, the client hosted many web servers with various web applications on behalf of his customer’s footprint. The client also worked with many various development teams (internal and external) which built web applications. With no real mechanism for assess web applications this gap was huge. Recommendation was to design and integrate a holistic Software Assurance Program.
Context / Action
We Designed and Implemented a Software Assurance (SwA) Program (People, Processes and Technologies) to assess all of their web applications. Software Assurance provides the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the Software Development Life Cycle (SDLC).
At the time of design, there was no policy in place which mandated the customer to perform this capability. Customers in their domain, leverage policies, guides, regulations, directives and other forms of documentation, from higher leadership, to determine how to run IT & Cybersecurity operations. Because of this flaw, the customer used traditional methods of assessing web servers which completely missed the application and only assessed the web servers and databases.
Thus, we leveraged the National Defense Authorization Act (NDAA) to push the design and implementation of this new cutting-edge software assurance program. Software Assurance Tactics, Techniques and Procedures (TTPs) was designed to not only assess web applications in production and staging environments but also assess the back-end source code and most importantly provide developers with on the spot training to educate them on secure development. This not only spanned the assessment of web applications but also mobile as well.
Training was a big effort for delivering these cutting-edge services. Not only did we have to educate and train developers but also administrators, project managers, engineers, system owners, Information Assurance, and other leadership. Therefore, we provided not only, on the spot training, but also developed a monthly battle rhythm which would reach out to anyone within the Cyber domain and bring them to one place where we discussed and taught Software Assurance best practices to anyone who would come. This forum was a huge success which received many accolades.
Lastly, as a added bonus, we implemented Threat Modeling. Threat modeling is a technique used to map the theoretical attack surface for an application and analyze the impact, likelihood, and prevalence of security flaws. Using the output of a Threat Model, developers and security testers gain a greater understanding of how an attacker may attempt to circumvent their security controls and therefore are able to code defensively to address and reduce the risk of the threat. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security.