Technology was once considered a necessary evil; it provided peripheral support for business operations. Today, however, technology is so tightly integrated into business operations that it is often difficult to say where IT stops and Line of Business begins. Indeed, one of our large financial services customers likes to say that they are "a software development company with a banking license."
With the realization that software can provide competitive advantage, companies are producing applications like never before. And while the business advantages are indisputable, this churning of code comes with enormous risk. The attack surface into your company grows larger with every new application, where the slightest programmatic flaw can hand the keys to your kingdom over to cybercriminals intent on stealing your critical data. Hence, the growing focus on Application Security.
It is not easy for an organization to protect critical data from external threats when applications are being developed internally, developed by third parties, bought "off-the-shelf", downloaded as open source, or run in the cloud. Application Security looks at every application, in every environment, to identify, fix and prevent vulnerabilities.
Getting Started with Application Security
WinMill Software works with companies of all sizes to assess their Application Security risk, and to implement controls to mitigate that risk. Our customers range from huge enterprises to small companies of less than 50 people. We understand that companies have different levels of maturity, and different requirements, when it comes to application development. And we are well aware that there is no one-size-fits-all solution for Application Security.
There are two questions that we are most often asked when it comes to Application Security:
1) Sounds good, but is it really necessary?
Some companies produce higher quality, more highly secure apps than others. But we've never seen an organization scan their applications for the first time and not be surprised by the number of vulnerabilities uncovered. And when it comes to protecting the data of your company, your clients and your employees, "we didn't know" will not stand up in court. In this day and age, Application Security is no longer the luxury of Fortune 500 companies with armies of developers. So in short, yes, it's really necessary.
2) Where should we start?
Implementing an effective Application Security program does not have to be overwhelming. We take a systematic, holistic approach that starts by simply defining your core objectives. We review the scope of your application inventory, evaluate your system architecture and existing processes, and identify potential constraints. We take into account your budget and your appetite for risk (or lack thereof). We then create a step-by-step roadmap that includes the implementation of tools and business processes that will put you on the path towards true Application Security.
DevOps (Development Operations) is the confluence of programming, quality assurance and operations. Secure DevOps means the inclusion of integrated Application Security in the DevOps program, with the operative word being integrated.
Agile has become the de facto standard for application development, and its benefits are undisputed. However, with agile development comes a serious risk – the continuous delivery of new application releases means a constant exposure to potential security flaws introduced by new code. Most companies today address this risk in one of two ways: a) they implement rigid pre-production testing by a security team, which ends up slowing the release cycle so much that the benefits of agile development are effectively lost, or b) they don't address Application Security at all.
Secure DevOps is the answer. With Secure DevOps, you can integrate security scans throughout the SLDC. Your developers can run incremental code scans directly through their IDE. Full code scans can be automatically run as code is checked in. And dynamic website scans can be automatically run against both test and production sites. Now your developers are free to do exactly what you want them to do: introduce new applications, new features and new functionality as quickly as possible, without compromising on quality or security.
Application Security Health Check
We perform a one-time scan on one or more of your applications, using one or more tools that are best suited to your SDLC (SAST, DAST, IAST). We evaluate the outcome, parse out false positives, and review the results with you. We provide guidance as to how to interpret the results and how to remediate vulnerabilities. This service is particularly effective when you are testing an application for the first time, or if you want to do a trial run of one or more security scanning products.
Quick Start Implementation
WinMill supports a best-in-class suite of Application Security solutions. By partnering with the leading companies in this space, we provide the most competitive pricing available. Our security experts will then help you to install, configure and use the products, instantly creating an Application Security platform that will help keep safe your apps, networks and data. We provide mentoring and high-level training as part of the Quick Start. Check our Partner Page for more information about the products that we support and recommend, and come back often as we are always adding new solutions to our repertoire!
When you are ready to move beyond the out-of-the-box functionality of your scanning tools, WinMill is ready to assist. We help clients create security rules and metrics; we help to understand and triage scan results and to prioritize vulnerabilities; we help you to integrate your scanning tools into your existing development and deployment architecture. We host developer workshops and conduct targeted mentoring and deep-dive training.
Maybe you have structured DevOps in place that needs integrated security, or maybe you don't have structured DevOps at all. Either way, WinMill can help. We analyze your existing SDLC processes and determine areas where new technologies may be warranted, new processes can be implemented, and above all, where automation and integration can make your operations more efficient. From here we create a roadmap for the transformation of your operations to a full-scale, Secure DevOps. Our core objectives for your Secure DevOps include:
Using the roadmap, we work with you to build out your Secure DevOps architecture. We automate the build and release process for developers, enabling continuous delivery of new functions and applications. We enable standardized configuration management and help to eliminate ad hoc and manual processes. Woven in the fabric of these processes are integrated tools for version control, application builds, deployment, static code scans, dynamic application scans, bug-tracking, vulnerability management, and governance. The end result is a Secure DevOps program that is faster, safer, more reliable and more predictable than anything you could have imagined.