What We Can Do For You:

I need help with planning a new or expanded Application/Product Security program.

I need additional resources or activities for my existing Application/Product Security program.

I need to arrange specialist training related to adopting sustainable threat modelling practices, using the OWASP ASVS to build secure software, or getting higher value from an AppSec scanning programme.

Security Roadmapping

We offer our Security Roadmapping service as a way to help you understand where you’re going, how long it will take, how much fuel (budget) you can expect to use, and what risks face us along the way.

Focusing on high-level business context and constraints, the Security Roadmap takes a value-driven approach to optimizeinvestment in security efforts. This will detail which security activities should be prioritized in your organization, and why.

These will enable you to reduce overall risk with cost-efficient tasks aligned with overall business priorities and based on your teams’ deep understanding of their product environment and architecture.

The purpose of the Roadmap is to plan work more efficiently, ensure security investment is aligned with what your company actually needs (instead of generic “Best Practices”), and provide a set of long-term security targets.

Software Security Consulting

Perhaps you are not yet ready for a full-fledged security program, for any of a number of valid reasons. Or maybe your security program is already mature, but you still need advice on a specific issue from an expert in security architecture.

For smaller projects, we can provide Standalone Consulting as needed. This would include meetings, staff interviews, and group discussions on-site as needed, as well as any additional information gathering, in-depth research, and hands-on proof of concepts we may need.

Threat Modeling Workshop

Threat modeling, a structured methodology for security-based analysis of a complex system, can help you identify and prioritize potential threats and attack vectors, and understand the appropriate mitigations.

A good threat model is essential for a robust, secure design and architecture, and can support mitigation of all relevant threats. This can also build customer confidence.

Our primary objective is to help you get to your end goal as quickly and effectively as possible. Your architects and development teams should be responsible for the security of their products, and consider this aspect as a normal part of building the features. As an outcome of this workshop, they will have the skillset, knowledge, and experience to be able to build basic threat models themselves, and recognize when they need to consult with experts for more advanced analysis.

Software Security Requirements with the ASVS

Security incidents due to software bugs are featuring more prominently in mainstream news with each passing year. However, if you are in a software engineering, architecture, or product management role, this may be a specialist area where you have less familiarity.

This training course is designed to provide you with a deep dive into how to design secure software including the mindset and approach for balancing the needs of security with practicality.

You will go beyond the standard OWASP Top 10 to discuss a wider range of issues, using the comprehensive OWASP Application Security Verification Standard (ASVS) as a baseline to understand the requirements for secure software over a variety of key areas.

For each area, there will be an in-depth table-top exercise where you take turns in using what you have learnt to either secure a sample application architecture or attempt to attack it in a red team vs blue team style.

You will also learn how the ASVS can be customized and best suited to your use-case and not only the theoretical solutions but also practical options which are common in the industry for providing software security mechanisms.

Building a High-Value AppSec Scanning Programme

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:

  • What to expect from these tools?
  • Customising and optimising these tools effectively
  • Building tool processes which fit your business
  • Automating workflows using CI/CD without slowing it down.
  • Showing the value and improvements you are making
  • Faster and easier triage through smart filtering
  • How to focus on fixing what matters and cut down noise
  • Techniques for various alternative forms of remediation
  • Building similar processes for penetration testing activities.
  • Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.