With the 2024.1 release, Security Compass is pleased to announce the addition of new AI security content and training for SD Elements. This includes:

• AWS Sagemaker Security Content
• ENISA Standards/OWASP Top Ten for Machine Learning (ML) Security Content
• Defending AI Just-In-Time Training modules

SD Elements security content library also features:

• NIST AI Risk Management Framework (RMF)
• OWASP Top Ten for Large Language Models (LLMs)

A recent Security Compass survey found that 66% of businesses with over $5B in annual revenue have already integrated AI into their products and services or set it as a high priority to do so. Our goal at Security Compass is to ensure that your organization has the requirements and training to build products and software that are secure-by-design, if you build, manage, or deploy ML models.

Book a Demo

AWS Sagemaker Security Content: “Build, train, and deploy your machine learning ML models faster”

AWS Sagemaker is one of the top cloud based services that helps data scientists, machine learning engineers, and developers to build, train, and deploy ML models at scale. SD Elements has added security requirements to address the risks of using AWS Sagemaker.

To access the security requirements for AWS Sagemaker, you must first complete the survey. You will find Sagemaker under Deployment → Cloud Computing → Cloud Providers → AWS Content (Non-Story driven) → Sagemaker.

If you are building a diagram, then you will have the ability to add the AWS Sagemaker component to your canvas.

SD Elements will then generate the necessary requirements that need to be addressed with detailed guidance.

ENISA and OWASP Top Ten for Machine Learning Security Content

In June of 2023, the European Union Agency for Cybersecurity (ENISA) published a framework for security of AI. The goal of the framework is to assist organizations that develop or use AI systems with the standards to secure their AI systems, operations and processes. The OWASP Top Ten for Machine Learning (ML) Project aims to deliver an overview of the top 10 security issues of machine learning systems. This includes Data and Model Poisoning, Model Theft, Supply Chain Attacks, etc.

To support the ENISA AI framework and the OWASP Top Ten for ML, SD Elements now offers a consolidated list of threats, weaknesses and countermeasures that combines and covers the ENISA framework and OWASP Top 10 ML project.

You will be able to access this content within the survey under Application General → Context and Characteristics → Build and deploy machine learning (ML) models. Once you complete the survey, SD Elements will generate the requisite security requirements.

SD Elements will also generate a project report by following the path: Reports → Project Reports → ENISA – Securing Machine Learning Algorithms. The report will break down countermeasure completion status based on ENISA – Securing Machine Learning Algorithms section & phase within the software development lifecycle.

Defending AI

SD Elements now supports 17 micro-modules based on the OWASP Top Ten for LLMs. Topics covered in the modules include:

• AI Cybersecurity Landscape
• Protecting Data Models
• Securing Model Interactions
• Preventing AI Abuse
• AI Governance

If you select, Uses Large Language Models (LLMs), in the survey, then your users will see the modules within the applicable countermeasures.

The module, if applicable, will be available within the countermeasure by following the path Countermeasures → Training → Defending AI. The module will then appear once you click on the link.

Ready to Take The Next Step?

To learn more about SD Elements AI security content and training, schedule a demo with one of our Account Executives.

Book a Demo

Learn More

Security Compass enables you to deliver secure & compliant products and software by design.

By taking a proactive approach to threat modeling and secure development, SD Elements improves software security at scale, reduces operational costs, and helps organizations achieve compliance. Application Security Training from Security Compass takes developers from good to great with accredited role-based security eLearning.

Leading organizations across industries are using Security Compass’ developer-centric technologies and expertise to adopt a “security by design” approach and scale their AppSec efforts beyond what was possible with traditional “find and fix” methodologies.

New to SD Elements? Request a demo to explore how our solutions can transform your software security landscape.

The post Navigating AI Security: What’s New in SD Elements 2024.1 appeared first on Security Compass.

This strategic shift, known as “Security by Design,” not only fortifies applications against potential threats but also delivers significant returns on investment (ROI) by reducing the cost and impact of security vulnerabilities.

The Imperative of Early Security Integration

The concept of “shifting left“—integrating security measures early in the software development lifecycle—has become a cornerstone of robust application security strategies.

This approach challenges the conventional methodology of treating security as a final step or a quality to be tested for after development. By embedding security principles from the very beginning, organizations can anticipate and mitigate risks before they manifest as costly vulnerabilities.

The Cultural Shift Towards Security by Design

Adopting Security by Design necessitates a profound cultural shift within organizations, transcending beyond mere technical adjustments. It requires the commitment and understanding of every stakeholder, from executives to developers.

The journey begins with education, ensuring that all parties comprehend the value and mechanics of proactive security measures. Following this, the organization must embed these principles into its processes, empowering development teams to incorporate security considerations inherently and autonomously.

Demonstrating ROI Through Security by Design

Quantifying the ROI of Security by Design is pivotal in securing executive buy-in and sustaining the initiative. This can be achieved by analyzing the cost savings from averting potential vulnerabilities, the reduction in risk exposure, and the overall enhancement of product quality.

For instance, the integration of security measures from the design phase can significantly reduce the number of high-risk vulnerabilities, translating into direct savings on remediation costs and minimizing the ‘window of risk’ during which applications are vulnerable to attack.

Overcoming Common Challenges

Implementing Security by Design is not without its challenges. Organizations often encounter obstacles such as resistance to change, misconceptions about the feasibility of early security integration, and difficulties in measuring short-term successes.

To overcome these, it’s crucial to address the common “anti-patterns” that can derail security initiatives, such as siloed efforts, lack of proactive metrics, and the failure to recognize security as a shared responsibility.

The Path Forward: A Framework for Success

A structured framework can guide organizations in effectively adopting Security by Design. This includes:

• Baseline Education: Building a foundational understanding of security principles across the organization.
• Embedding Expertise: Integrating security experts and champions within development teams to facilitate knowledge sharing and guidance.
• Empowering Teams: Providing the tools and autonomy necessary for development teams to implement security by design principles effectively.

The Bottom Line: Security as an Investment, Not a Cost

Security by Design is more than a cybersecurity strategy; it’s a business imperative that enhances operational efficiency, reduces risk, and ultimately contributes to the bottom line.

By embedding security into the DNA of application development processes, organizations can not only protect themselves against the ever-evolving landscape of cyber threats but also unlock significant economic value.

Ready to Shift Left with Security by Design?

At Security Compass, we empower organizations to integrate proactive security measures seamlessly into their development processes. Our comprehensive solutions and expert guidance can help your team navigate the cultural and technical shifts necessary to embrace Security by Design.

Don’t wait for vulnerabilities to dictate your security strategy. Contact us today to learn how you can proactively secure your applications and unlock the full ROI of your security investments.

The post Unlocking the ROI of Security by Design in Application Development appeared first on Security Compass.

The Awareness Challenge: Bridging the Knowledge Gap

One of the most significant hurdles in application security is the knowledge gap among software developers. Traditionally, security has not been a focal point in the curriculum for coding, leaving developers unprepared to tackle security challenges head-on. “Software developers don’t necessarily learn about security when they learn to code,” Rohit points out, highlighting a fundamental flaw in the development ecosystem.

The rapid pace at which new vulnerabilities emerge compounds this issue, making it increasingly difficult for developers, whose primary focus is functionality, to stay abreast of the latest security practices. This gap in knowledge and awareness is the bedrock of the challenge, underscoring the need for a paradigm shift towards integrating security principles right from the onset of the development process.

Empowering Development Teams: The Role of Embedded Security Expertise

To bridge this gap, Rohit advocates embedding security expertise directly within development teams. This approach ensures that security considerations are not an afterthought but an integral part of the development lifecycle. He introduces the concept of utilizing platforms like SD Elements, which provide comprehensive insights into known software weaknesses and preventative controls, seamlessly integrating into development processes and tools like JIRA.

Such platforms enable development teams to focus on delivering business value through feature development while ensuring security measures are implemented effectively. This facilitates a more secure development process and enables organizations to demonstrate compliance and maintain an audit trail of implemented security controls.

The Evolving Landscape: Security Requirements and Liability

Highlighting a real-world incident, Sethi discusses the Capital One breach, emphasizing the longstanding nature of vulnerabilities like SSRF (Server Side Request Forgery) and the lack of proactive measures to address such vulnerabilities. Looking forward, he points to regulatory changes, such as the EU Cyber Resilience Act, which mandates the integration of security throughout the development process and proposes liability for software vulnerabilities.

This evolving regulatory landscape necessitates a proactive approach to security, where developers must integrate the correct security requirements upfront and provide audit evidence of their implementation. Failing to do so increases the risk of breaches and exposes organizations to significant liability.

New Technologies, New Challenges: The Case of Generative AI

As new technologies like large language models and generative AI become more integrated into software products, new security challenges arise. Rohit highlights specific risks, such as prompt injection, associated with these technologies. He underscores the importance of implementing prescriptive security controls to mitigate such risks and demonstrate due diligence in the face of potential breaches.

The insights shared by Rohit Sethi underscore the multifaceted challenges of application security and the critical need for a paradigm shift towards integrated, proactive security practices. As technologies evolve and regulatory landscapes change, developers and organizations must prioritize security to safeguard against vulnerabilities and fulfill their responsibilities to users and stakeholders.

Ready to Elevate Your Application Security?

In today’s digital world, where security threats evolve as rapidly as technology, staying ahead requires more than just awareness—it demands action. Security Compass offers cutting-edge solutions designed to embed security expertise within your development teams, ensuring your applications are not just functional but fortified against the myriad threats they face.

Whether you’re looking to integrate security into your development lifecycle, comply with emerging regulations, or simply want to understand how to navigate the complexities of application security, we’re here to help. SD Elements provides a comprehensive framework for identifying and addressing software vulnerabilities, streamlining your path to secure software development.

Don’t let security be an afterthought. Contact us today to learn how Security Compass can empower your development teams to build not just innovative but secure applications that stand the test of today’s digital challenges.

Let’s work together to build a more secure future.

The post Overcome the Top 4 Application Security Challenges in 2024 appeared first on Security Compass.

The latest 2023.4 release from Security Compass streamlines the process of Security by Design, offering application security and software development teams a more straightforward and efficient approach. Key enhancements in SD Elements 2023.4 encompass:

• Enhanced Trend Reporting
• Integration with Checkmarx One SAST
• The ability to use Custom Icons
• Refreshed and Updated Security Content

Trend Reporting

SD Elements now includes Trend Reporting within its Advanced Reporting functionality. This new feature provides valuable insights into the evolving security posture of your organization, showcasing how SD Elements contributes to continuous security improvements over time.

In the dashboard below, you can see the number of compliant and non-compliant projects this bank has and how it is trending towards GDPR compliance over time.

Integration with Checkmarx One SAST

SD Elements now integrates with Checkmarx One SAST. This new integration allows you to import SAST scan results from Checkmarx One into SD Elements. The following guide will show you how to set up the integration and the results it will yield within SD Elements.

Custom Icons

SD Elements users with customizable content permissions are able to select icons (from a list of available icons) for custom components or for alternate icons for any components that you have already created. Custom icons bring secure by design connected components in line with the visual language specific to your organization.

Below is a sample of the custom icons that will be available when you generate a threat model diagram.

CWE Top 25 2023 Compliance Report and Content

Common Weakness Enumeration recently released their top 25 Most Dangerous Software Weaknesses list (CWE Top 25). This list highlights the currently most common and impactful software weaknesses. With the 2023.4 release, SD Elements has added a compliance report for CWE Top 25 2023 with relevant mappings to the countermeasures. The CWE Top 25 2023 report is now available under Project Reports → Compliance Reports.

¹ CWE Top 25 Most Dangerous Software Weaknesses

Learn More

Security Compass enables you to deliver secure & compliant software by design.

By taking a proactive approach to threat modeling and secure development, SD Elements improves software security at scale, reduces operational costs, and helps organizations achieve compliance. Application Security Training from Security Compass takes developers from good to great with accredited role-based security eLearning.

Leading organizations across industries are using Security Compass’ developer-centric technologies and expertise to adopt a “security by design” approach and scale their AppSec efforts beyond what was possible with traditional “find and fix” methodologies.

For existing SD Elements customers, please contact your Customer Success Manager for further insights and support.

New to SD Elements? Request a demo to explore how our solutions can transform your software security landscape.

The post SD Elements 2023.4 Release Update appeared first on Security Compass.

• New AI governance, large language models (LLM), Consumer IoT, Rust, and ISO 27001:2022 security content
• Scheduled user deactivation and reactivation
• SD Elements library and content improvements
• Enhanced Auditing

Developer-centric Security Content

Create an AI Governance framework based on NIST AI RMF

SD Elements has added security content to help your organization create an AI governance framework. This framework is based on the NIST AI Risk Management Framework, which provides guidance on how to govern, map, measure, and manage the usage of AI products.

The survey has a new section: “Artificial Intelligence/Machine Learning.”

When you select “AI governance tasks are in scope” and complete the survey, you will then be provided with weaknesses, countermeasures, and a report based on the NIST AI RMF.

Embed security for the OWASP Top 10 LLM Applications with ease

SD Elements now supports developer-centric recommendations for the OWASP Top Ten Large Language Models Applications.

When you select “Uses Large Language Models (LLM)” and complete the survey, you will then be provided with weaknesses and countermeasures based on the OWASP Top 10 for Large Language Model Applications.

Prevent large-scale, prevalent attacks against your IoT devices

SD Elements will be adding new countermeasures and a report for IoT: ETSI EN 303 645 to ensure your organization is aligned with this globally recognized standard for manufacturing consumer IoT devices.

When selecting a Compliance Report, you now have the option to select EN 303 645, which will generate a list of potential countermeasures and their completion status.

Rust

SD Elements now supports security content for Rust.

ISO 27001: 2013 → ISO 27001: 2022

When selecting a Compliance Report, you now have the option to select ISO 27001:2022, which will generate a list of potential countermeasures and their completion status.

Automate the user lifecycle management process

SD Elements now supports the scheduled auto-deactivation of user identities directly from the SD Elements user interface as well as reactivation of deactivated user identities that are using SSO (SAML, LDAP). To automatically deactivate and reactivate user identities:

Set the parameter and the number of days in which specific users’, or groups’, identity should be deactivated. The ability to either select specific users and/or groups will give you more granular control over your user lifecycle management workflow.

Automatically reactivating users via SSO Login can now be completed in two clicks.

Migrate Activated and Deactivated Library Content

You can now export deactivated content, set content to deactivate or activate upon import, and delete custom content upon import within SD Elements.

Enhanced Auditing

All content updates are now made available in Global Activity Logs, Project Activity Logs, and Countermeasure Activity Logs.

Learn More

Security Compass, the Security by Design company, helps organizations who develop software save time and money and reduce cyber risks through education and by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Understand best practices for embedding product security
• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.3 Release Update appeared first on Security Compass.

Delivering on this business priority begins with rolling out an Application Security training program within your organization.

What is an Application Security Training Program

An AppSec training program is essential to a successful application security program and process. As the threat landscape continues to evolve, organizations must prioritize security at every level of the development process to stay ahead of the curve. Empowering dev teams is an effective and cost-efficient building block in building out a successful application security program.

An application security training program should:

• Establish a knowledge baseline for staff at various experience levels.
• Include comprehensive training that teaches software development teams about code vulnerabilities and compliance.
• It should be relevant to the technological stacks that your organization uses.
• The training program should, at minimum, cover various security concepts such as secure coding practices, threat modeling, regulatory compliance, and security testing.
• Ideally, courseware should have content that is delivered in a format that is engaging and can be easily consumed by the audience to maximize their valuable time investment.

7 Benefits of Application Security Training

Here are some benefits of implementing an AppSec training program to the success of your organization’s overall AppSec program and process:

1. Reduced Risk of Data Breaches

Data breaches can cause irreparable damage to an organization’s reputation, financial stability, and customer trust. An application security training program can help reduce the risk of data breaches by teaching developers how to prevent, identify and fix vulnerabilities in their code before going to production. By creating a culture of security awareness and best practices, your organization can minimize the likelihood of a successful attack.

2. Improved Code Quality

An application security training program can also lead to improved code quality. When developers understand how to write secure code, they can create applications less prone to security vulnerabilities. This can result in fewer bugs, increased reliability, and faster development cycles, given more proactive processes and less rework time.

3. Compliance with Industry Standards

Many industries have regulatory requirements for security and data protection. Implementing an application security training program can help your organization comply with these standards. By training your developers in secure coding practices, you can demonstrate your commitment to security and avoid costly fines and legal issues with attestations on which languages and frameworks your developers have been trained.

4. Cost Savings

Investments in an application security training program can lead to cost savings in the long run with improved productivity.. By identifying and fixing security vulnerabilities early in the development process, you can avoid costly rework and remediation efforts down the line. This can result in faster time to market, increased efficiency, and, ultimately, a higher return on investment.

5. Increased Customer Trust

Customers today are more security-conscious than ever before. By implementing an application security training program, you can show your customers that you take their security seriously. This can help build trust and confidence in your organization and increase customer loyalty when customers can expect products that are secure by default.

As the threat landscape evolves, organizations must prioritize security at every level of the development cycle to stay ahead of the curve.

6. Competitive Advantage

Whether competing for customers or top staff, security training benefits your organization in both areas. The goal of retaining customers and quality employees both benefit from your organization’s ability to empower your staff’s professional development in this underserved area. Plus, it directly correlates to the timely delivery of secure/quality products.

7. Staff Enablement (Product Security & Role Security Awareness)

Roles that develop and deliver products plus manage 3rd party vendor components such as engineers, security, architecture, threat modeling, plus supporting functions are on the front lines of delivering secure and risk-free products to your customers. Since post-secondary institutions are behind the curve on delivering graduates with the AppSec skill set that industry players need, establishing baseline roles and domain-specific knowledge to critical path staff is necessary for many organizations.

How To Roll Out an AppSec Training Program

Creating and rolling out an impactful, well-received, and successful organization-wide skills training program can be daunting. However, with the right planning, strategy, and execution, it can be a rewarding experience for both the organization and its employees.

9 Steps to Safeguard Your Training Initiative’s Success

Here are some best practices to consider when creating and rolling out an organization-wide security skills training program:

Step 1. Identify Learning Objectives

The first step in creating an organization-wide security training program is identifying the learning objectives. What are the skills or knowledge areas that the organization wants its employees to learn or improve? Identifying specific learning objectives that align with the organization’s goals and objectives is essential.

Step 2. Define the Target Audience

Once the learning objectives have been identified, the next step is to define the target audience. Who are the employees that will benefit from the training program? It is essential to consider the roles and responsibilities of the employees, as well as their skill levels, to ensure that the training program meets their needs.

Step 3. Choose a Training Methodology that can Scale

Choosing the right training methodology and training vendor is crucial for the overall program’s success. Organizations need a combination of content and delivery methodology that scales across the organization, is well-received by the audience, and provides measurable impact. It is essential to choose a method that is engaging, interactive, and effective.

Step 4. Develop Engaging Content

Developing engaging content is essential to the success of the training program. The content should be relevant, up-to-date, and easy to understand. It should also be interactive and include practical examples that employees can relate to their day-to-day work.

Step 5. Reinforcement and Ongoing Support

Providing ongoing support is crucial for the maturing of your training program. Providing employees with access to resources, a breadth of content for continuing education, job aids, and reference materials that they can use to reinforce their learning. Industry-standard certification paths, Security Champions programs, manager/security champion-led remediation, coaching and feedback to employees will also help them apply their newly acquired skills. Training isn’t a one-time event. Reinforcement is needed, and empowering your employees with just-in-time and just enough training reinforces and directly coaches, applies, and measures the progress of security concepts against real-world applications for developers while on the job. Consider how your tools for secure development help your employees identify requirements and security issues as well as have reference-able examples for remediating them with countermeasures.

Step 6. Top-Down Mandates and Measurement of the Program’s Effectiveness

Measuring the program’s effectiveness is crucial to ensure that it meets the organization’s goals and objectives. Executive promotion and mandates lead driving security cultural change. It is essential to track employees’ progress and assess their learning outcomes. This will help the organization identify any gaps and make the necessary adjustments to the program. Rewards. Exclusive memberships and competitions around training goals is a long-term and sustainable way to leverage human nature competitiveness and add a gamification “fun” aspect to your program.

Step 7. Communicate the Benefits & Success

Communicating the benefits of the training program to employees is crucial to its success. Employees need to understand why the program is important and how it will benefit them in their current role and in their career development. It is also important to communicate the program’s impact on the organization and its strategic goals. Use of leader boards and organizational dashboards is an effective way to provide continuous communication of the organization’s progress, add some competitive motivation, drive cultural norms plus drive executive urgency.

Step 8. Third-Party Affirmation

Most teams have the best intentions, but additional motivation could only help since they usually also have a competing to-do list. One such motivator is to leverage your training program to support an employee’s desire to obtain Industry recognized 3rd party certifications such as those from ISC2. Look for courseware that is accredited by ISC2 towards obtaining annual CPE credits plus which prepares your staff to write an ISC2 accredited certification exam. This maximizes employee time, provides an additional layer of resume padding accomplishment, creates the foundations for a Security Champions program around and stimulates team competitiveness to achieve the corporate gold security standard along with its accolades.

Step 9. Establish a Time Efficient Annual Knowledge Assessment Baseline that is Tied to Employees’ Objectives and Key Results

Staff often ask, “Why do I need to take this course again since I took it last year?“. Since developer time is a valuable commodity, that’s a fair question.

The answer is you may not need to invest an hour of your time to retake the course, but you do need to demonstrate that you meet a knowledge baseline. To meet annual contractual/regulatory compliance criteria or to maintain your risk reduction security culture, a reportable self-service assessment will easily demonstrate up to the Executive Board level that you are maintaining your security knowledge baseline.

Security Compass’ Application Security Training courses are designed with this flexibility in mind. Individual courses can benefit various knowledge and experience levels within an organization.

Many organizations have established annual guidelines for Security Awareness training for all employees in order to reduce exposure to risks.

Be it Security Awareness, AppSec Fundamentals, OWASP Top 10, etc., Security Compass’ Application Security Training  courses are designed to be flexible and efficient for the use case of enabling knowledge self-assessment. As part of an annual Security Training Program requirement, they allow staff to jump straight to the final 10-minute exam to prove what they know in order to comply with annual Human Resources requirements. With real-time feedback, if a user fails the exam, they can focus their efforts on reviewing just the topics that they are weak on,  then successfully rewrite the exam.

Consider the benefits of importing this type of LMS reporting into your HR system and/or org performance dashboards to drive the company culture aspect.

That is a win-win scenario for both the organization and staff.

Conclusion

Creating and rolling out an organization-wide AppSec training program can be challenging, but it is essential for the organization’s and its employees’ success. By following these best practices, organizations can develop a training program that is impactful, well-received, and successful in achieving its goals and objectives.

Security Compass is here to assist you from start to finish. We work with customers from start-ups to multinationals in all phases of their program maturity.

From a start of security awareness training for team members  to full fledged role-based learning paths  to support for senior Dev staff security Champions programs via ISC2  TM recognized certification path and bragging rights. AppSec training is a sound  foundation for and a great starting point to rolling out an AppSec program.

The post The Ultimate Guide to Building an Application Security Training Culture & Program appeared first on Security Compass.

Expanding Depth and Breadth of Security and Training Content and Integrations

To provide a good customer experience, all organizations must strive for a Security by Default end state  “products that are secure to use out of the box.”  Releasing products with vulnerabilities puts customer data at risk. Threat actors having access to personally identifiable information will do irreparable harm to customers.  The burden of putting strong security measures in place (i.e. strong passwords or multi-factor authentication)  should not fall upon your customers.

To achieve the Security by Default end state, organizations must adopt a Security by Design approach. Security by Design is the philosophy of ensuring that systems are built securely from the very beginning of the development process. However, implementing Security by Design is not a one-size fits all solution, as organizations, departments, and teams all have different needs. The right solution to adopt or optimize your Security by Design approach must address your organization’s current needs, integrate with your existing tech stack, and reduce the number of security requirements your developers have to address.

Security Compass, the Security by Design company, has developed two developer-centric solutions, SD Elements and Application Security Training (formerly eLearning), which allows organizations to embed product security early on in the development process.  Both solutions enable organizations, departments, and teams to release secure code faster through training, automatically identifying and prioritizing software threats, recommending countermeasures, and reducing the risk of insecure design.

With the release of SD  Elements 2023.2, Security Compass is making Security by Design easier than ever for software development teams. New features now available in SD Elements 2023.2 include:

• Improvements to the SD Elements survey
• New and updated security content
• Enhanced user lifecycle management experience
• New and updated Just-In-Time-Training (JITT) modules and Application Security Training courses

Survey Enhancements

The SD Elements survey is the most essential aspect of a threat model. To create a complete threat model, the survey can require collaboration amongst multiple users across teams, depending on the complexity of the system. Prior to the 2023.2 release, it was challenging for users to identify what changes had been made. For the stakeholder who is responsible for submitting the survey, there was no ability to review the changes.

With the 2023.2 release, any changes made in the survey will now be highlighted. When the owner is ready to submit the survey, they will be directed to a confirmation page where they will have the opportunity to review all the changes. This update will reduce the time spent reviewing survey answers.

User Lifecycle Management Enhancements

It is the responsibility of the SD Elements administrator to oversee the user lifecycle management experience. In previous releases, we addressed onboarding by adding the ability ​​to import groups and roles from identity providers into SD Elements. However, this feature only worked via API and not directly within the SD Elements user interface (UI). Reactivating suspended users was also a challenge prior to this release. If an identity provider does not allow for scheduled reactivation, then this must happen manually within SD Elements, which is a labor-intensive process.

With the SD Elements 2023.2 release, SD Elements is enhancing the onboarding experience and automating the reactivation of inactive users.The new onboarding experience allows organizations to leverage SD Element’s current Single Sign-On (SSO) authentication, extending SD Elements SAML configurations via UI to provide the ability to map Identity Provider (IdP) groups to SD Elements group(s) and map IdP roles to SD Elements roles.  With scheduled reactivation, SD Elements administrators can set a date to activate a suspended user’s identity. Once the date arrives, the user will automatically be granted access to SD Elements.

New Security Content

SD Elements 2023.2 now provides the following security content library updates:

• ISO 21434 (Automotive Industry): New developer-centric recommendations and out of the box countermeasures for how to satisfy ISO 21434 requirements
• OWASP IoT Top 10: New and updated developer-centric recommendations for how to address the most common security risks that can make IoT devices vulnerable
• OWASP Privacy Top 10: New ​​OWASP Privacy Top 10 report and developer-centric recommendations and countermeasures based on the OWASP Privacy Top 10 Project

Just-in-Time-Training (JITT) Updates

Just-in-Time Training micromodules have been updated in SD Elements 2023.2 for Defending Node.js and Defending Java. For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

Application Security Training Courses

The following Security Compass Application Security Training courses are now available:

• Defending Node.js
• Defending Java

To learn more about these courses, as well as the more than 40+ other Application Security Training courses covering application security, operational security, compliance, and general awareness, please visit the Application Security Training page.

Learn More

Security Compass, the Security by Design company, helps organizations who develop software save time and money and reduce cyber risks through education and by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Understand best practices for embedding product security
• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.2 Release Update appeared first on Security Compass.

The conference aims to educate, embed and empower the audience in the concept of security by design, which involves integrating key security capabilities into the Secure Product Lifecycle, from design to maintenance.

Equilibrium 2023 will bring together DevSecOps leaders and practitioners from various industries to share their experiences and discuss the latest advancements in secure development. The event is perfect for developers, DevOps and DevSecOps professionals, and product security experts who are serious about creating secure software.

At the conference, attendees can expect to learn from the most innovative minds in the industry, with sessions covering cutting-edge topics like security by design, cyber liability implications on software development, the coming impact of artificial intelligence on software security, and the emerging field of product security.

Security by Design

One of the main focuses of the conference is security by design. Attendees will hear how their organization can gain a significant competitive advantage by taking a proactive approach to security and privacy by design. This includes integrating security considerations into every phase of the software development lifecycle, from requirements gathering to design, development, testing, and deployment.

Cyber Liability

Another topic that will be discussed is cyber liability. With the increasing number of cyber-attacks and data breaches, organizations are now starting to add product security-specific clauses to contracts. Attendees will explore cyber liability and its legal and financial consequences for businesses.

Artificial Intelligence (AI)

Artificial Intelligence (AI) is another area that will be covered at the conference. AI has the potential to enhance software security, but it also comes with its risks. Attendees will delve into the role of AI in secure development, assess its potential benefits and associated risks, and discuss strategies to mitigate those risks.

Application Security Training

Application security training is a critical component of secure software development. Attendees will discover how they can empower software developers to build and release secure software without impacting delivery speed. This includes exploring training best practices that can help developers build secure code from the outset.

Product Security

Product security is a field that is rapidly evolving. Leading experts will share best practices based on important lessons learned from their own experiences on the product security front lines.

The Rise of the CPSO

Attendees will also learn how and why the roles of the CISO and CSPO are changing due to rapid changes in the cyber threat and liability landscape.

Equilibrium 2023 Conference will be a virtual event, allowing attendees to participate from anywhere in the world. The conference will feature live sessions, interactive workshops, and networking opportunities. Attendees will have the opportunity to connect with other professionals in the industry and learn from the experts.

This conference is an excellent opportunity for professionals in the software development industry to learn about the latest advancements in secure development. Attendees will have the chance to learn from the most innovative minds in the industry and shape the future of software security. Whether you are a developer, DevOps or DevSecOps professional, or product security expert, this conference is not to be missed.

Register today and be a part of the future of secure software development.

Register Now

The post The 2023 Equilibrium Conference by Security Compass appeared first on Security Compass.

Product security is a value add. Embedding product security throughout the software development lifecycle (SDLC) is frequently a top down mandate within many organizations. Key drivers are the cost savings and competitive advantages as it can minimize the number of vulnerabilities once a product is in the hands of customers.

Software threat modeling and secure development are ideal solutions to help organizations address product security early in the SDLC. However, utilizing manual approaches can take weeks to months to complete and can increase the chances of misidentifying possible vulnerabilities. This adds another friction point for developers being able to hit their release goals.

Security Compass has developed SD Elements, a developer-centric, automated approach to threat modeling and secure development. SD Elements allows developers to release secure code faster by automatically identifying and prioritizing software threats, recommending countermeasures, and reducing the risk of insecure design. The time savings can be months when comparing SD Elements to traditional (manual) processes. With the release of SD  Elements 2023.1, Security Compass is making security by design easier than ever before for software development and application security teams. New features now available in SD Elements 2023.1 include the ability to:

• Import threat model diagrams from Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io)
• Customize built-in reusable components
• Specify new granular permissions in advanced reporting
• Provide deeper integrations with identity providers

New and updated developer-centric security content, just-in-time training modules, and eLearning courses also demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging and existing application security threats and vulnerabilities in production.

These new capabilities in SD Elements help software development and application security teams:

• Enhance collaboration between application security and software development teams
• Improve developer productivity and deliver secure code faster
• Ensure segregation of duties and stronger access controls on data accessibility
• Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations
• Improve user onboarding and the user experience

Updated Threat Model Diagrams

Threat modeling is becoming more common as organizations recognize the risks of connecting  their infrastructure and devices to the internet. Visually representing threat models through diagrams makes it easier for organizations to identify design flaws and potential vulnerabilities. ​However, highly sensitive data about an organization’s infrastructure and applications are present within diagrams and they must be stored in a secure, centralized location.

SD Elements now supports importing Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io) diagrams. With the new upload feature and the diagram formats it supports, SD Elements can now be the secure, centralized repository for diagrams, threats, weaknesses, and countermeasures. This release eliminates the need to store diagrams in multiple locations and allows organizations to migrate away from manual threat modeling processes to an automated, developer-centric solution.

Reusable Components Enhancements

Internal security policies, industry regulations, and privacy laws are all standards organizations must abide by. Their threat modeling solution should make this as easy as possible.

Organizations can create, customize, and reuse components to model their microservices architecture with SD Elements. However, they could not customize SD Elements built-in components prior to this release.

Organizations can now modify SD Elements built-in components to meet the specific needs of their development and application security teams. This enhancement to reusable components simplifies the work required for organizations to satisfy their internal security requirements, industry regulations, and privacy laws. It also reduces the need for security teams to create and model reusable components in SD Elements.

Advanced Reporting Enhancements

Prior to the SD Elements 2023.1 release, access to data in SD Elements could not be granted to users based on their role. Users either had access to all data or no data.

The new granular permissions in SD Elements enables limiting data access levels within advanced reporting. SD Elements administrators can now ensure users have access to only the data needed for their role. For end users, the enhancement makes it easier to generate reports as they can only see and access the data needed by their role.

Updated Identity Provider Integration

In prior versions of SD Elements, there were limitations with onboarding and managing user identities between SD Elements and an organization’s identity providers (IdP). Support for user management at the group level was also not available. For example, for a newly provisioned user to receive the same level of permissions as their team, the SD Elements administrator would have to manually grant them the proper access levels. This created a sub-optimal experience for the new employee, the employee’s manager, the IdP administrator, and the SD Elements administrator.

With the SD Elements 2023.1 release, the ability to import groups and roles from identity providers is now supported. The new functionality works with SD Element’s current Single Sign-On (SSO) authentication, extending SD Elements SAML configurations, via API, to provide the ability to map IdP groups to SD Elements group(s) and map IdP roles to SD Elements roles. This enhancement will streamline and improve the SD Elements onboarding process and the user management and the user experience. To learn more about SD Elements 35+ integrations, covering application security software, DevOps tools, infrastructure, and issue trackers, visit the SD Elements Integrations page

New Security Content

SD Elements 2023.1 now provides the following security content library updates:

• Payment Card Industry Data Security Standard (PCI-DSS) v4.0: New developer-centric recommendations and out of the box countermeasures for how to satisfy PCI-DSS v4.0 requirements
• Cybersecurity Maturity Model Certification (CMMC) 2.0: New compliance report with mapped tasks for developers to demonstrate compliance with CMMC 2.0 for Levels 1 and 2

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2023.1 for Securing the Cloud. For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer, but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

New eLearning Courses

The following Security Compass eLearning courses are now available:

• Defending Go
• Defending Typescript
• PCI-DSS v4.0
• Secure Software Acceptance and Deployment

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamentals and best practices, visit the Application Security Training page.

Learn More

The new SD Elements 2023.1 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.1 Release Update appeared first on Security Compass.

A better approach, of course, would be to take steps to prevent design and coding errors from entering the code base to begin with. That’s where threat modeling comes in. Software threat modeling is an exercise that examines an application’s architecture and technical stack. It identifies potential weaknesses an attacker could exploit, then prescribes threat countermeasures and security controls software developers, security, and operations teams can implement. In short, threat modeling anticipates threats prior to starting development. This allows organizations to prevent vulnerabilities from entering the application and build secure software more rapidly.

Why Doesn’t Everyone Use Threat Models?

Traditional threat modeling is a manual exercise requiring leadership from senior security and software architecture professionals. Threat modeling teams can spend weeks mapping an application’s data flow, creating “trust boundary” diagrams, and identifying mitigations for implementation by development teams. We have written at length about some of the challenges with manual threat modeling. Briefly, these include:

• Scalability: Allocating senior personnel for days or weeks to threat model every project is not practical in most organizations.
• Shelf life: As teams add new features, microservices, and interfaces to an application, threats it faces change. In a DevSecOps environment with frequent changes and rapid releases, spending several days to update a threat model is impractical.
• Consistency- Manual threat models are subject to the judgements, preferences, and expertise of those people building the models.
• Completeness and Auditability- Tracking hundreds or thousands of threats and countermeasures in a spreadsheet or shared document is cumbersome and prone to mistakes.

Nonetheless, threat modeling is beneficial to organizations of all sizes. Like any initiative, adopting a threat modeling program is a journey.

Understanding Capabilities Maturity Models

A capability maturity model provides a blueprint for assessing and advancing an organization’s practices. Here at Security Compass, when we talk to organizations who want to improve their secure software development process, we tell them one of the best places to start is by conducting a quick, informal assessment of their current software threat modeling maturity process. Furthermore, we also typically encourage them to create their model based on the software-process maturity framework developed by the Department of Defense as “a means to characterize the capabilities of software-development organizations and the Capabilities Maturity Model developed by Watts Humphries and others at the Carnegie Mellon University Software Engineering Institute.

Software Threat Modeling Maturity Model

A Capability Maturity Model recognizes that processes evolve over time, and that as organizations gain experience and knowledge, they can improve their processes to become more efficient, effective, and predictable. The maturity model can be applied to any type of organizational process, including software development, project management, quality assurance, or customer support.

By focusing on process maturity, organizations can identify areas for improvement, develop best practices, and achieve greater consistency and efficiency in their operations. Like the Capability Maturity Model, the Software Threat Modeling Maturity Model (STMMM) we use with many organizations consists of five discrete levels.

Level 1 – Initial

Level 1 maturity is typified by unpredictability and poor controls. Activities are ad hoc and reactive, and results are unpredictable. This does not mean that efforts will fail, however, as extraordinary individual efforts can result in success. However, because processes are poorly defined and documented success is unlikely to be repeatable.

Level 1 maturity for threat modeling is characterized by one or two individuals defining data flow diagrams (DFD), entry points, and likely attack patterns. Threat countermeasures are ad hoc and inconsistent. Engineering must interpret high level descriptions (e.g., “apply least privilege principles”) and translate those into controls for implementation and testing. Reporting is through shared documents or spreadsheets.

Requirements to advance to Level 2

In Level 1, teams have not sufficiently defined and documented processes to enable them to be replicated. Advancing to Level 2 requires additional discipline to define policies and processes to achieve consistency between projects.

Level 2 – Repeatable

At Level 2, teams have defined and documented processes that allow for repeatable results. This does not guarantee that teams will rigorously follow the processes each time, however. For threat modeling, teams operating at Level 2 have documented policies for identifying which applications require threat models. Teams lack the resources to focus on more than one or two high-priority applications.

Level 2 threat modeling is manual and diagrammatic. Documentation remains paper based and therefore diligence is required to ensure repeatability. Teams may begin to document specific threats and countermeasures associated with common frameworks or deployment environments. This allows better consistency between threat models and uniform application of approved controls.

Requirements to advance to Level 3

Level 2 organizations lack information, documentation, and consistency. Teams need to capture and analyze data to identify blockers and missed opportunities. For example, if security testing identifies multiple SQL injection vulnerabilities, threat modelers should respond by considering input validation threats more closely. Training on secure coding can also benefit the team.

Level 3 – Defined

At Level 3, threat modeling becomes proactive. Teams have standardized and documented threat modeling activities integrated into organizational processes. Documenting uniform threats and countermeasures based on the technology stack reduces the organization’s reliance on scarce senior security and engineering personnel and allows multiple teams to produce consistent threat models and countermeasures. In turn, this allows threat modeling of a higher percent of the organization’s application inventory.

Teams having “defined” threat modeling practices are incorporating regulatory requirements in addition to general secure coding standards. This is where automation can accelerate advancing to Level 3. Developer-centric threat modeling solutions like SD Elements provide teams with comprehensive interpretations of standards like NIST 800-53, CCPA, PCI-DSS, CSA Cloud Control Matrix, and others. Automation also allows teams to adopt standardized countermeasures or adjust those to meet internal requirements. Each countermeasure is defined as an actional task and delivered through existing tools (e.g., Jira) for implementation by development, security, or operations.

Requirements to advance to Level 4

Threat modeling teams need to leverage additional data analysis to advance to Level 4 maturity. This includes identifying choke points in the system and analysis of residual findings from security testing to guide process change. Tailored training for development on individual issues can help refine countermeasures.

Level 4 – Managed

Level 4 threat modeling maturity is characterized by processes that are measured and controlled. Teams have customized their threat models to each technical stack and deployment environment, and threat countermeasures are consistent across teams. Proactive security controls with approved standards result in fewer vulnerability findings during security testing. Continuous developer education delivered to desktops instills a security culture.

In a managed environment, automation enables teams to achieve consistency and scale threat modeling across all team members, minimizing variability and the requirement for senior personnel. By leveraging a centralized platform like SD Elements, teams can measure process metrics across a range of personnel and application architectures with near real time visibility to the security profile of each application.

Requirements to advance to Level 5

Level 5 maturity requires a regimented review of data to identify efficiencies. This includes continuous monitoring of the threat space and regulatory environment to maintain awareness of new threats, standards, and countermeasures. It is also advisable to monitor performance between personnel conducting threat models to ensure consistency and identify areas for improvement. The addition of developer-centric eLearning is helpful to close knowledge gaps and create the foundation for a security culture

Level 5 – Optimizing

Teams that perform at level 5 maturity focus on incremental improvement through test, analyze, adjust cycles. Processes are constantly improved through monitoring feedback and introducing innovative methods and functionality. In an automated platform, this may include new survey questions to reduce threat modeling time, more frequent updates to the threat model as software requirements change, or the testing the effectiveness of new countermeasures. Security and engineering scrutinize vulnerabilities to determine if the root cause was a missing item from the threat model, a poorly designed countermeasure, or an ineffective test plan.

SD Elements provides quarterly updates from Security Compass’ security professionals on the threat environment and regulatory requirements. Advanced Reporting makes complex threat, countermeasure, security control, and compliance data accessible and easy to digest. Teams can create rich data visualizations and dashboards that identify the most prevalent threats and weaknesses across the organization’s software portfolio. Teams also have the data, reporting, and analytics capabilities they need to perform in-depth analyses of their software security and compliance posture for individual software projects, as well as across their entire software (or application) portfolio.

Closing

Building a mature threat modeling capability is a process. By focusing initially on key projects, teams can build internal support and capture data on threat mitigation and cost savings. Automation is a key requirement, as manual processes are inconsistent, unauditable, and simply do not scale.

SD Elements helps organizations accelerate their threat modeling initiatives and simplifies maturing programs. It provides an expansive content library of threats, countermeasures, and security and compliance best practices designed specifically to address the needs of developers. This expertise, provided by expert researchers on the SD Elements content team with decades of experience, is coupled with embedded, highly interactive, just in time training modules to enable software developers to quickly understand and comply with changing software security standards and threat landscapes.

The post Understanding and Applying the Software Threat Modeling Maturity Model appeared first on Security Compass.