Full Circle Security (FCS) is the perfect service to leverage for a holistic product security program. Abricto Security partners and integrates with your product development team to walk through each step of the secure software development life-cycle, embedding security along the way. Your development team will have full access to our in-house expert advice at all times to discuss security controls and implementation options.
Enterprise development teams find this service especially useful as a comprehensive approach to product security to identify and remediate most security issues before penetration testing is ever conducted. Early vulnerability identification and remediation saves time, cost and effort by an order of magnitude when compared to last-minute vulnerability remediation.
Stage 0: Security Assurance Maturity Assessment
Our team interviews key stakeholders to understand and report the organization’s current alignment with security best-practices in its development life-cycle. The output of this exercise is a report that we use to as a guide during the Full Circle Security engagement to identify security weak-spots that can be bolstered.
Stage 1: Security Training
Abricto Security’s consultants deliver developer-focused, language-specific training to highlight secure-coding blunders and how to prevent them. Our team analyzes vulnerability patterns identified in previous releases of the product to refine our curriculum, driving measurable software assurance metrics.
Stage 2: Requirements
Our product security experts meet with products owners and lead developers to understand:
- Privacy requirements
- Tagging requirements
- Third-part component tracking requirements
- Corporate and third-party contractual audit requirements
- Role-based access control requirements
- Identity management requirements
We use this information to compile a custom set of “evil-user stories” developers use to build against, proactively baking-in product security.
Stage 3: Planning and Design
Once we understand the product design and requirements, we collaborate with the organization’s DevOps teams to compose a comprehensive threat diagram – a visual representation of the product architecture and its attack-surfaces. The output of this effort is not just a visual diagram, but a report detailing each component of the product and its associated vulnerabilities.
Stage 4: Development
During the development phase of the SDLC software engineers demand agility. Our team validates that such agility is supported by the CI/CD pipeline. Traditional SAST scanning is clunky, cumbersome, and doesn’t support true pipeline automation. Abricto Security works with your development team to generate a custom rule-set for integrating automated Semgrep scans into your CI/CD pipeline. DAST scanning should be running out-of-band to prevent bottle-necking code contributions. We validate that DAST scanning solutions properly identify vulnerabilities and that authentication, spidering, and fuzzing work as intended.
Stage 5: Testing and Verification
This is where our team validates the effectiveness of all prior Full Circle Security phases. Our security consultants conduct in-depth penetration tests, emphasizing testing for business-logic, authentication, and authorization vulnerabilities that automated scans struggle to identify. The findings generated during penetration testing are fed back into the next iteration of Full Circle Security where we customize our training curriculum to address systemic coding or engineering vulnerabilities.
Stage 6: Deployment
The product is built and now it’s time to ship. Abricto Security validates that the deployment mirrors the intended design established in the “Planning and Design” phase of the SSDLC. Our team conducts network vulnerability scans of the product’s infrastructure to ensure no default or easy-to-guess credentials are used, least-privilege is followed, and that patching is in place.
Areas of Focus
- Secure development guidelines and principles.
- Risk assessments driven by design elements and data flow diagrams.
- Auditable compliance enabled through secure design patterns.
- Security Assurance Maturity Assessment Report
- Product-Specific Evil-User Stories Collection
- Threat Model Diagram and Component-Specific Attack Surface Report
- Verification and Validation of DAST Effectiveness
- Semgrep Rule-Set for Automated SAST CI/CD Pipeline Integration
- Application Vulnerability Assessment and Penetration Test Report
- Network Vulnerability Assessment and Penetration Test Report