Technology was once considered a necessary evil; it provided peripheral support for business operations. Today, however, technology is so tightly integrated into business operations that it is often difficult to say where IT stops and Line of Business begins. Indeed, one of our large financial services customers likes to say that they are "a software development company with a banking license."
With the realization that software can provide competitive advantage, companies are producing applications like never before. And while the business advantages are indisputable, this churning of code comes with enormous risk. The attack surface into your company grows larger with every new application, where the slightest programmatic flaw can hand the keys to your kingdom over to cybercriminals intent on stealing your critical data. Hence, the growing focus on Application Security.
It is not easy for an organization to protect critical data from external threats when applications are being developed internally, developed by third parties, bought "off-the-shelf", downloaded as open source, or run in the cloud. Application Security looks at every application, in every environment, to identify, fix and prevent vulnerabilities.
Getting Started with Application Security
WinMill Software works with companies of all sizes to assess their Application Security risk, and to implement controls to mitigate that risk. Our customers range from huge enterprises to small companies of less than 50 people. We understand that companies have different levels of maturity, and different requirements, when it comes to application development. And we are well aware that there is no one-size-fits-all solution for Application Security.
There are two questions that we are most often asked when it comes to Application Security:
1) Sounds good, but is it really necessary?
Some companies produce higher quality, more highly secure apps than others. But we've never seen an organization scan their applications for the first time and not be surprised by the number of vulnerabilities uncovered. And when it comes to protecting the data of your company, your clients and your employees, "we didn't know" will not stand up in court. In this day and age, Application Security is no longer the luxury of Fortune 500 companies with armies of developers. So in short, yes, it's really necessary.
2) Where should we start?
Implementing an effective Application Security program does not have to be overwhelming. We take a systematic, holistic approach that starts by simply defining your core objectives. We review the scope of your application inventory, evaluate your system architecture and existing processes, and identify potential constraints. We take into account your budget and your appetite for risk (or lack thereof). We then create a step-by-step roadmap that includes the implementation of tools and business processes that will put you on the path towards true Application Security.
DevOps (Development Operations) is the confluence of programming, quality assurance and operations. Secure DevOps means the inclusion of integrated Application Security in the DevOps program, with the operative word being integrated.
Agile has become the de facto standard for application development, and its benefits are undisputed. However, with agile development comes a serious risk – the continuous delivery of new application releases means a constant exposure to potential security flaws introduced by new code. Most companies today address this risk in one of two ways: a) they implement rigid pre-production testing by a security team, which ends up slowing the release cycle so much that the benefits of agile development are effectively lost, or b) they don't address Application Security at all.
Secure DevOps is the answer. With Secure DevOps, you can integrate security scans throughout the SLDC. Your developers can run incremental code scans directly through their IDE. Full code scans can be automatically run as code is checked in. And dynamic website scans can be automatically run against both test and production sites. Now your developers are free to do exactly what you want them to do: introduce new applications, new features and new functionality as quickly as possible, without compromising on quality or security.
Application Security Health Check
Not sure how to get started with Application security? Or maybe you've started, but you're not sure if you are on the right track. WinMill can help with an Application Security Health Check. We start with a questionnaire to determine your Risk Tolerance. Then we perform a one-time scan of your application portfolio, using one or more tools that are best suited to your SDLC (SAST, DAST, IAST). We evaluate the outcome, parse out false positives, and review the results with you. We provide guidance as to how to interpret the results and how to remediate vulnerabilities. This service is particularly effective when you are planning to test the security of your applications for the first time, or want to establish a more comprehensive application security program.
Quick Start Implementation
WinMill supports a best-in-class suite of Application Security solutions. By partnering with the leading companies in this space, we provide the most competitive pricing available. Our security experts kick off a QuickStart by helping you to install, configure and begin using the product. We incorporate mentoring and customized training. The QuickStart ends with an assessment of your current state of application security, and a road-map to get you to your future/desired state. A QuickStart provides standards and benchmarks to help you self-assess your program as it progresses, providing metrics to score against and defining goals that you hope to achieve.
Check our Partner Page for more information about the products that we support and recommend, and come back often as we are always adding new solutions to our repertoire!
Secure DevOps and SDLC Transformation
Maybe you have structured DevOps in place that needs integrated security, or maybe you don't have structured DevOps at all. Either way, WinMill can help. We analyze your existing SDLC processes through a security lens. We determine areas where new technologies may be warranted, new processes can be implemented, and above all, where automation and integration can make your operations more efficient – considering integrated security every step of the way. From here we create a roadmap for the transformation of your operations to a full-scale, Secure DevOps architecture. Our core objectives for your Secure DevOps include:
- Standardized configuration – across development, test and production to eliminate environmental discrepancies and smooth the process of migration and deployment.
- Standard tools and processes – so that developers can easily take over for one another, or work on multiple projects for multiple departments, all without missing a beat.
- Integrated and automated – configuration, environment, releases, security, quality assurance.
- Breaking down silos – integrating teams that do development, security, testing and deployment. No more throwing the code over the wall to the next group.
- Shifting left – getting security integrated into the early stages of development, dramatically reducing the cost of production error remediation.
- Speed to market – the end game for effective Secure DevOps is velocity; delivering high quality, highly secure code faster than ever before.
Ongoing Professional Support
How can you ensure that the standards and guidelines of your application security program will continue to be met and maintained? Enter WinMill Software's Remediation Coaching, Application Security Champion, and Scan-Assist services.
Remediation Coaching – How will I determine what is important, what is a false positive, what should be fixed, and what is mitigated through an acceptable control?
- WinMill security experts will review application scan reports and triage identified flaws. We help you to determine which issues may be mitigated through controls, and which issues should be remediated at the code or configuration level, taking into consideration your guidelines for risk tolerance.
- We identify remediation techniques and methods that your developers should consider using to fix identified issues and explain the output of the triage.
- We provide guidance to your application security team during the remediation process.
- We help to identify focus areas for ongoing developer training and hold best-practices workshops with development teams.
- We extend your team with an Application Security Champion with specialized application security and product knowledge.
- We monitor/drive scan progress, monitor support cases and escalations, and provide supplementary support beyond the support provided by manufacturers.
- We provide ongoing training and product demonstrations for your team members and stakeholders, best-practices workshops, regular status reports, and comprehensive progress summaries.
- We regularly review and revisit program goals with you and make recommendations for continuous improvement of your application security program.
- Creation of your application security program
- Solution selection process and evaluation
- On-boarding and implementation of new solutions
- Execution of scans
- Reporting and remediation activities