With the 2024.1 release, Security Compass is pleased to announce the addition of new AI security content and training for SD Elements. This includes:

• AWS Sagemaker Security Content
• ENISA Standards/OWASP Top Ten for Machine Learning (ML) Security Content
• Defending AI Just-In-Time Training modules

SD Elements security content library also features:

• NIST AI Risk Management Framework (RMF)
• OWASP Top Ten for Large Language Models (LLMs)

A recent Security Compass survey found that 66% of businesses with over $5B in annual revenue have already integrated AI into their products and services or set it as a high priority to do so. Our goal at Security Compass is to ensure that your organization has the requirements and training to build products and software that are secure-by-design, if you build, manage, or deploy ML models.

Book a Demo

AWS Sagemaker Security Content: “Build, train, and deploy your machine learning ML models faster”

AWS Sagemaker is one of the top cloud based services that helps data scientists, machine learning engineers, and developers to build, train, and deploy ML models at scale. SD Elements has added security requirements to address the risks of using AWS Sagemaker.

To access the security requirements for AWS Sagemaker, you must first complete the survey. You will find Sagemaker under Deployment → Cloud Computing → Cloud Providers → AWS Content (Non-Story driven) → Sagemaker.

If you are building a diagram, then you will have the ability to add the AWS Sagemaker component to your canvas.

SD Elements will then generate the necessary requirements that need to be addressed with detailed guidance.

ENISA and OWASP Top Ten for Machine Learning Security Content

In June of 2023, the European Union Agency for Cybersecurity (ENISA) published a framework for security of AI. The goal of the framework is to assist organizations that develop or use AI systems with the standards to secure their AI systems, operations and processes. The OWASP Top Ten for Machine Learning (ML) Project aims to deliver an overview of the top 10 security issues of machine learning systems. This includes Data and Model Poisoning, Model Theft, Supply Chain Attacks, etc.

To support the ENISA AI framework and the OWASP Top Ten for ML, SD Elements now offers a consolidated list of threats, weaknesses and countermeasures that combines and covers the ENISA framework and OWASP Top 10 ML project.

You will be able to access this content within the survey under Application General → Context and Characteristics → Build and deploy machine learning (ML) models. Once you complete the survey, SD Elements will generate the requisite security requirements.

SD Elements will also generate a project report by following the path: Reports → Project Reports → ENISA – Securing Machine Learning Algorithms. The report will break down countermeasure completion status based on ENISA – Securing Machine Learning Algorithms section & phase within the software development lifecycle.

Defending AI

SD Elements now supports 17 micro-modules based on the OWASP Top Ten for LLMs. Topics covered in the modules include:

• AI Cybersecurity Landscape
• Protecting Data Models
• Securing Model Interactions
• Preventing AI Abuse
• AI Governance

If you select, Uses Large Language Models (LLMs), in the survey, then your users will see the modules within the applicable countermeasures.

The module, if applicable, will be available within the countermeasure by following the path Countermeasures → Training → Defending AI. The module will then appear once you click on the link.

Ready to Take The Next Step?

To learn more about SD Elements AI security content and training, schedule a demo with one of our Account Executives.

Book a Demo

Learn More

Security Compass enables you to deliver secure & compliant products and software by design.

By taking a proactive approach to threat modeling and secure development, SD Elements improves software security at scale, reduces operational costs, and helps organizations achieve compliance. Application Security Training from Security Compass takes developers from good to great with accredited role-based security eLearning.

Leading organizations across industries are using Security Compass’ developer-centric technologies and expertise to adopt a “security by design” approach and scale their AppSec efforts beyond what was possible with traditional “find and fix” methodologies.

New to SD Elements? Request a demo to explore how our solutions can transform your software security landscape.

The post Navigating AI Security: What’s New in SD Elements 2024.1 appeared first on Security Compass.

The latest 2023.4 release from Security Compass streamlines the process of Security by Design, offering application security and software development teams a more straightforward and efficient approach. Key enhancements in SD Elements 2023.4 encompass:

• Enhanced Trend Reporting
• Integration with Checkmarx One SAST
• The ability to use Custom Icons
• Refreshed and Updated Security Content

Trend Reporting

SD Elements now includes Trend Reporting within its Advanced Reporting functionality. This new feature provides valuable insights into the evolving security posture of your organization, showcasing how SD Elements contributes to continuous security improvements over time.

In the dashboard below, you can see the number of compliant and non-compliant projects this bank has and how it is trending towards GDPR compliance over time.

Integration with Checkmarx One SAST

SD Elements now integrates with Checkmarx One SAST. This new integration allows you to import SAST scan results from Checkmarx One into SD Elements. The following guide will show you how to set up the integration and the results it will yield within SD Elements.

Custom Icons

SD Elements users with customizable content permissions are able to select icons (from a list of available icons) for custom components or for alternate icons for any components that you have already created. Custom icons bring secure by design connected components in line with the visual language specific to your organization.

Below is a sample of the custom icons that will be available when you generate a threat model diagram.

CWE Top 25 2023 Compliance Report and Content

Common Weakness Enumeration recently released their top 25 Most Dangerous Software Weaknesses list (CWE Top 25). This list highlights the currently most common and impactful software weaknesses. With the 2023.4 release, SD Elements has added a compliance report for CWE Top 25 2023 with relevant mappings to the countermeasures. The CWE Top 25 2023 report is now available under Project Reports → Compliance Reports.

¹ CWE Top 25 Most Dangerous Software Weaknesses

Learn More

Security Compass enables you to deliver secure & compliant software by design.

By taking a proactive approach to threat modeling and secure development, SD Elements improves software security at scale, reduces operational costs, and helps organizations achieve compliance. Application Security Training from Security Compass takes developers from good to great with accredited role-based security eLearning.

Leading organizations across industries are using Security Compass’ developer-centric technologies and expertise to adopt a “security by design” approach and scale their AppSec efforts beyond what was possible with traditional “find and fix” methodologies.

For existing SD Elements customers, please contact your Customer Success Manager for further insights and support.

New to SD Elements? Request a demo to explore how our solutions can transform your software security landscape.

The post SD Elements 2023.4 Release Update appeared first on Security Compass.

• New AI governance, large language models (LLM), Consumer IoT, Rust, and ISO 27001:2022 security content
• Scheduled user deactivation and reactivation
• SD Elements library and content improvements
• Enhanced Auditing

Developer-centric Security Content

Create an AI Governance framework based on NIST AI RMF

SD Elements has added security content to help your organization create an AI governance framework. This framework is based on the NIST AI Risk Management Framework, which provides guidance on how to govern, map, measure, and manage the usage of AI products.

The survey has a new section: “Artificial Intelligence/Machine Learning.”

When you select “AI governance tasks are in scope” and complete the survey, you will then be provided with weaknesses, countermeasures, and a report based on the NIST AI RMF.

Embed security for the OWASP Top 10 LLM Applications with ease

SD Elements now supports developer-centric recommendations for the OWASP Top Ten Large Language Models Applications.

When you select “Uses Large Language Models (LLM)” and complete the survey, you will then be provided with weaknesses and countermeasures based on the OWASP Top 10 for Large Language Model Applications.

Prevent large-scale, prevalent attacks against your IoT devices

SD Elements will be adding new countermeasures and a report for IoT: ETSI EN 303 645 to ensure your organization is aligned with this globally recognized standard for manufacturing consumer IoT devices.

When selecting a Compliance Report, you now have the option to select EN 303 645, which will generate a list of potential countermeasures and their completion status.

Rust

SD Elements now supports security content for Rust.

ISO 27001: 2013 → ISO 27001: 2022

When selecting a Compliance Report, you now have the option to select ISO 27001:2022, which will generate a list of potential countermeasures and their completion status.

Automate the user lifecycle management process

SD Elements now supports the scheduled auto-deactivation of user identities directly from the SD Elements user interface as well as reactivation of deactivated user identities that are using SSO (SAML, LDAP). To automatically deactivate and reactivate user identities:

Set the parameter and the number of days in which specific users’, or groups’, identity should be deactivated. The ability to either select specific users and/or groups will give you more granular control over your user lifecycle management workflow.

Automatically reactivating users via SSO Login can now be completed in two clicks.

Migrate Activated and Deactivated Library Content

You can now export deactivated content, set content to deactivate or activate upon import, and delete custom content upon import within SD Elements.

Enhanced Auditing

All content updates are now made available in Global Activity Logs, Project Activity Logs, and Countermeasure Activity Logs.

Learn More

Security Compass, the Security by Design company, helps organizations who develop software save time and money and reduce cyber risks through education and by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Understand best practices for embedding product security
• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.3 Release Update appeared first on Security Compass.

Expanding Depth and Breadth of Security and Training Content and Integrations

To provide a good customer experience, all organizations must strive for a Security by Default end state  “products that are secure to use out of the box.”  Releasing products with vulnerabilities puts customer data at risk. Threat actors having access to personally identifiable information will do irreparable harm to customers.  The burden of putting strong security measures in place (i.e. strong passwords or multi-factor authentication)  should not fall upon your customers.

To achieve the Security by Default end state, organizations must adopt a Security by Design approach. Security by Design is the philosophy of ensuring that systems are built securely from the very beginning of the development process. However, implementing Security by Design is not a one-size fits all solution, as organizations, departments, and teams all have different needs. The right solution to adopt or optimize your Security by Design approach must address your organization’s current needs, integrate with your existing tech stack, and reduce the number of security requirements your developers have to address.

Security Compass, the Security by Design company, has developed two developer-centric solutions, SD Elements and Application Security Training (formerly eLearning), which allows organizations to embed product security early on in the development process.  Both solutions enable organizations, departments, and teams to release secure code faster through training, automatically identifying and prioritizing software threats, recommending countermeasures, and reducing the risk of insecure design.

With the release of SD  Elements 2023.2, Security Compass is making Security by Design easier than ever for software development teams. New features now available in SD Elements 2023.2 include:

• Improvements to the SD Elements survey
• New and updated security content
• Enhanced user lifecycle management experience
• New and updated Just-In-Time-Training (JITT) modules and Application Security Training courses

Survey Enhancements

The SD Elements survey is the most essential aspect of a threat model. To create a complete threat model, the survey can require collaboration amongst multiple users across teams, depending on the complexity of the system. Prior to the 2023.2 release, it was challenging for users to identify what changes had been made. For the stakeholder who is responsible for submitting the survey, there was no ability to review the changes.

With the 2023.2 release, any changes made in the survey will now be highlighted. When the owner is ready to submit the survey, they will be directed to a confirmation page where they will have the opportunity to review all the changes. This update will reduce the time spent reviewing survey answers.

User Lifecycle Management Enhancements

It is the responsibility of the SD Elements administrator to oversee the user lifecycle management experience. In previous releases, we addressed onboarding by adding the ability ​​to import groups and roles from identity providers into SD Elements. However, this feature only worked via API and not directly within the SD Elements user interface (UI). Reactivating suspended users was also a challenge prior to this release. If an identity provider does not allow for scheduled reactivation, then this must happen manually within SD Elements, which is a labor-intensive process.

With the SD Elements 2023.2 release, SD Elements is enhancing the onboarding experience and automating the reactivation of inactive users.The new onboarding experience allows organizations to leverage SD Element’s current Single Sign-On (SSO) authentication, extending SD Elements SAML configurations via UI to provide the ability to map Identity Provider (IdP) groups to SD Elements group(s) and map IdP roles to SD Elements roles.  With scheduled reactivation, SD Elements administrators can set a date to activate a suspended user’s identity. Once the date arrives, the user will automatically be granted access to SD Elements.

New Security Content

SD Elements 2023.2 now provides the following security content library updates:

• ISO 21434 (Automotive Industry): New developer-centric recommendations and out of the box countermeasures for how to satisfy ISO 21434 requirements
• OWASP IoT Top 10: New and updated developer-centric recommendations for how to address the most common security risks that can make IoT devices vulnerable
• OWASP Privacy Top 10: New ​​OWASP Privacy Top 10 report and developer-centric recommendations and countermeasures based on the OWASP Privacy Top 10 Project

Just-in-Time-Training (JITT) Updates

Just-in-Time Training micromodules have been updated in SD Elements 2023.2 for Defending Node.js and Defending Java. For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

Application Security Training Courses

The following Security Compass Application Security Training courses are now available:

• Defending Node.js
• Defending Java

To learn more about these courses, as well as the more than 40+ other Application Security Training courses covering application security, operational security, compliance, and general awareness, please visit the Application Security Training page.

Learn More

Security Compass, the Security by Design company, helps organizations who develop software save time and money and reduce cyber risks through education and by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Understand best practices for embedding product security
• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.2 Release Update appeared first on Security Compass.

Product security is a value add. Embedding product security throughout the software development lifecycle (SDLC) is frequently a top down mandate within many organizations. Key drivers are the cost savings and competitive advantages as it can minimize the number of vulnerabilities once a product is in the hands of customers.

Software threat modeling and secure development are ideal solutions to help organizations address product security early in the SDLC. However, utilizing manual approaches can take weeks to months to complete and can increase the chances of misidentifying possible vulnerabilities. This adds another friction point for developers being able to hit their release goals.

Security Compass has developed SD Elements, a developer-centric, automated approach to threat modeling and secure development. SD Elements allows developers to release secure code faster by automatically identifying and prioritizing software threats, recommending countermeasures, and reducing the risk of insecure design. The time savings can be months when comparing SD Elements to traditional (manual) processes. With the release of SD  Elements 2023.1, Security Compass is making security by design easier than ever before for software development and application security teams. New features now available in SD Elements 2023.1 include the ability to:

• Import threat model diagrams from Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io)
• Customize built-in reusable components
• Specify new granular permissions in advanced reporting
• Provide deeper integrations with identity providers

New and updated developer-centric security content, just-in-time training modules, and eLearning courses also demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging and existing application security threats and vulnerabilities in production.

These new capabilities in SD Elements help software development and application security teams:

• Enhance collaboration between application security and software development teams
• Improve developer productivity and deliver secure code faster
• Ensure segregation of duties and stronger access controls on data accessibility
• Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations
• Improve user onboarding and the user experience

Updated Threat Model Diagrams

Threat modeling is becoming more common as organizations recognize the risks of connecting  their infrastructure and devices to the internet. Visually representing threat models through diagrams makes it easier for organizations to identify design flaws and potential vulnerabilities. ​However, highly sensitive data about an organization’s infrastructure and applications are present within diagrams and they must be stored in a secure, centralized location.

SD Elements now supports importing Microsoft Threat Modeling Tool and Diagrams.net (formerly Draw.io) diagrams. With the new upload feature and the diagram formats it supports, SD Elements can now be the secure, centralized repository for diagrams, threats, weaknesses, and countermeasures. This release eliminates the need to store diagrams in multiple locations and allows organizations to migrate away from manual threat modeling processes to an automated, developer-centric solution.

Reusable Components Enhancements

Internal security policies, industry regulations, and privacy laws are all standards organizations must abide by. Their threat modeling solution should make this as easy as possible.

Organizations can create, customize, and reuse components to model their microservices architecture with SD Elements. However, they could not customize SD Elements built-in components prior to this release.

Organizations can now modify SD Elements built-in components to meet the specific needs of their development and application security teams. This enhancement to reusable components simplifies the work required for organizations to satisfy their internal security requirements, industry regulations, and privacy laws. It also reduces the need for security teams to create and model reusable components in SD Elements.

Advanced Reporting Enhancements

Prior to the SD Elements 2023.1 release, access to data in SD Elements could not be granted to users based on their role. Users either had access to all data or no data.

The new granular permissions in SD Elements enables limiting data access levels within advanced reporting. SD Elements administrators can now ensure users have access to only the data needed for their role. For end users, the enhancement makes it easier to generate reports as they can only see and access the data needed by their role.

Updated Identity Provider Integration

In prior versions of SD Elements, there were limitations with onboarding and managing user identities between SD Elements and an organization’s identity providers (IdP). Support for user management at the group level was also not available. For example, for a newly provisioned user to receive the same level of permissions as their team, the SD Elements administrator would have to manually grant them the proper access levels. This created a sub-optimal experience for the new employee, the employee’s manager, the IdP administrator, and the SD Elements administrator.

With the SD Elements 2023.1 release, the ability to import groups and roles from identity providers is now supported. The new functionality works with SD Element’s current Single Sign-On (SSO) authentication, extending SD Elements SAML configurations, via API, to provide the ability to map IdP groups to SD Elements group(s) and map IdP roles to SD Elements roles. This enhancement will streamline and improve the SD Elements onboarding process and the user management and the user experience. To learn more about SD Elements 35+ integrations, covering application security software, DevOps tools, infrastructure, and issue trackers, visit the SD Elements Integrations page

New Security Content

SD Elements 2023.1 now provides the following security content library updates:

• Payment Card Industry Data Security Standard (PCI-DSS) v4.0: New developer-centric recommendations and out of the box countermeasures for how to satisfy PCI-DSS v4.0 requirements
• Cybersecurity Maturity Model Certification (CMMC) 2.0: New compliance report with mapped tasks for developers to demonstrate compliance with CMMC 2.0 for Levels 1 and 2

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2023.1 for Securing the Cloud. For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer, but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

New eLearning Courses

The following Security Compass eLearning courses are now available:

• Defending Go
• Defending Typescript
• PCI-DSS v4.0
• Secure Software Acceptance and Deployment

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamentals and best practices, visit the Application Security Training page.

Learn More

The new SD Elements 2023.1 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2023.1 Release Update appeared first on Security Compass.

Software threat modeling is a foundational requirement for ensuring secure software development. However, many organizations today still struggle to effectively model software applications. Application security experts, who have traditionally led threat modeling exercises, are in short supply. Software developers are now being asked to add threat modeling to their skill set. However, most software developers are not threat modeling experts. Asking developers to take on an additional and vital task can impact hitting their release deadlines.

Identifying and mitigating software threats prior to software release is required by the vast majority of organizations that develop software. For example, according to a recent study, 2022 Developer Perspectives on Application Security, 76% of software developers report that their applications cannot be released until threats of specified authority are mitigated. 65% report that addressing threats from the security team is required. To help developers succeed, a better, more developer-centric approach to threat modeling is required.

In response to this need, Security Compass has developed SD Elements, a developer-centric software threat modeling tool, to help software teams take an automated approach to threat modeling at the very beginning of their development cycle — without requiring the expertise of a security expert. With the release of SD Elements 2022.4, we are making threat modeling easier than ever before for application security and development teams. New features now available in SD Elements 2022.4 include the ability to:

• Generate accurate threat models and collaborate on their application’s design and data flow
• Reuse existing components along with their identified threats and countermeasures across projects
• Reduce the level of expertise needed to generate reports
• Integrate with Snyk Open Source Software Composition Analysis (SCA)
• Customize SD Elements security content

New and updated security content, just-in-time training modules, and eLearning courses demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging and existing application security threats.

These new capabilities in SD Elements help software development and application security teams:

• Improve collaboration between security, software development, hardware engineering, and DevOps teams
• Improve developer productivity
• Obtain visibility into the security and compliance state of software across an organization’s entire software portfolio
• Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations

Updated Threat Model Diagrams

Threat modeling is a foundational exercise in delivering secure software applications. But, in order for threat modeling to be viewed as a value add activity by both application security and software development teams, generated threat model diagrams must accurately display the application architecture, including zones and nested zones. Threat model diagrams should also include the ability to add notes to the diagram.  Application security and software development teams, using the threat model diagrams, need the context to fully understand the system architecture, threats, and required countermeasures to implement and effectively collaborate to help ensure the security of the software.

Updates to threat model diagrams in the 2022.4 release (see 2023.3 release) include the ability to nest zones and add diagram notes. These new features further enhance the threat modeling experience for application security professionals and developers. After generating a threat model, zones can be nested to ensure the diagram matches the organization’s architecture. Diagram notes allow development and application security teams to represent their software application’s design and data flows quickly and easily, as well as add any important notes to the threat model diagram to provide additional context.

Reusable Components Enhancements

“When developers perform a threat model, they begin to recognize what can go wrong in a system. It also allows them to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system.” (Threat Modeling Manifesto)

Over time, patterns will reoccur within systems and software, i.e. recurring threats, weaknesses, and their necessary countermeasures. Application security professionals and developers need to be able to reuse these patterns across projects to simplify threat modeling. In prior versions of SD Elements, the process of reusing security patterns found in existing components was manual. Components needed to be manually created in the component library and configured by selecting the appropriate countermeasures.

The latest update to SD Elements reusable components allows application security and development teams to be able reuse existing components’ along with their security patterns, identified threats, and countermeasures across projects. This improves efficiency between security and development teams by leveraging patterns that have already been identified and addressed in other projects. Now, teams can focus their attention on only what needs to be done. When a component is created, it is added to the component library. And once it has been activated by an SD Elements administrator, the component along with the identified threats and appropriate countermeasures are available to every project in the organization.

Advanced Reporting Enhancements

Prior to the 2022.4 release, SD Elements required a high level of SQL expertise to pull data and generate reports. The majority of stakeholders that work in SD Elements do not possess this skill, which created an over-reliance on SD Elements administrators to generate reports.

Updates to advanced reporting in SD Elements 2022.4 create a much more scalable, secure way to generate reports. New contextual reporting capabilities reduce the level of expertise needed to retrieve, combine, and visualize data, as well as create rich reports. A user can simply choose the type of context their task is based on, and then the appropriate and relevant data points are available for selection.

New Snyk Open Source Integration

The use of open source code plays an integral role in minimizing the time spent and cost building out applications. Gartner estimates that 90% of organizations rely on open source code in their applications today. Open source projects may seem fully secure, given that they are maintained by a community, but that is not true. Gartner estimates that more than 70% of applications contain flaws stemming from the use of open source code. Given the widespread use of open source code, the need for software composition analysis (SCA) tools is vital in releasing secure applications.

To address the growing need for SCA tools, SD Elements now integrates with Snyk Open Source (SCA). Snyk Open Source helps minimize open source and other third-party software risks by simplifying security control validation for application security and software development teams. Organizations can now import Snyk Open Source scans to SD Elements. This allows organizations to automatically map their findings to the appropriate tasks in SD Elements and highlight open source weaknesses and required countermeasures to implement. To learn more about SD Elements 35+ integrations, covering application security software, DevOps tools, infrastructure, and issue trackers, visit the SD Elements Integrations page

New Custom Task Mapping

In prior versions of SD Elements, customers were unable to perform custom task mapping. SD Elements verification tools, i.e. SCA, were all built with a default mapping file that connected an organization’s scan results findings to the appropriate countermeasure. By not providing customers with the ability to customize their task mapping, within SD Elements, to their verification tools, led to them manually customizing mapping, which was time-consuming. The other alternative was for customers to rely on the SD Elements integrations team.

With the new custom task mapping feature now available in SD Elements 2022.4, organizations have the flexibility to overwrite default task mappings to customize SD Elements’ security content to meet their needs. Application security and development teams can append their own security content and even change different attributes in their files, such as confidence levels between scan findings to SD Elements.

New Security Content

SD Elements 2022.4 now provides the following security content library updates:

• Azure Kubernetes Services (AKS): New recommended security controls and guidelines help software developers and DevOps teams better secure AKS clusters
• AWS Services: In addition to the existing coverage of AWS’ infrastructure provisioning services, the SD Elements Content Library now supports the following AWS Services: API Gateway, AWS Cognito, AWS Kinesis, Amazon Kinesis Data Firehose, and AWS Web Application Firewall (WAF)
• Payment Card Industry Data Security Standard (PCI DSS): New content is now available for the latest version of PCI DSS, v4.0. This includes a compliance report that maps the “Requirements and Testing Procedures” specified in PCI DSS v4.0 to SD Elements tasks and activities. Organizations that process card holder data can now use this report to identify gaps and/or demonstrate compliance with the PCI DSS standard.
• New security content is also available for the .NET 6 framework, TypeScript, and Android 12 and 13. 

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2022.4 for Ansible (IaC) and key updates for .NET 6 and Secure Software Requirements.  For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass’ Training Curriculum.  (If you are a current SD Elements customer, but do not currently have a JITT subscription and would like to learn more, please contact Customer Success or Book a Demo.)

New eLearning Courses

The following Security Compass eLearning courses are now available:

• Ansible – Infrastructure as Code (IaC)
• .NET 6
• Secure Software Requirements

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamental and best practices, visit the eLearning Solutions page.

Learn More

The new SD Elements 2022.4 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, please reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post SD Elements 2022.4 Release Update appeared first on Security Compass.

At Security Compass, we continue to enhance our SD Elements developer-centric threat modeling platform.

We designed SD Elements to use a developer-centric software threat modeling process so software teams can quickly take an automated approach to threat modeling right at the beginning of their development cycle — without requiring the expertise of a security expert. Organizations with dedicated application security teams also benefit from the SD Elements automated, developer-centric threat modeling approach, because it frees up application security experts from the more tedious and manual aspects of threat modeling. They can instead focus on more sophisticated attacks and threats, as well as focus on scaling software threat modeling, secure development, and compliance best practices across their organization’s entire software portfolio.

New features now available in SD Elements 2022.3 make it easier than ever before for software developers to see software (application) security threats, where they exist, and exactly where to implement countermeasures to mitigate the threats. New dashboards enable application security teams to identify the most prevalent threats and weaknesses across the organization’s software portfolio, as well as perform in-depth analyses of their software security and compliance posture both per-project as well as across their entire software (or application) portfolio. New and updated security content, just-in-time training modules, and eLearning courses demonstrate Security Compass’ commitment to ensuring software developers have the training and knowledge required to effectively protect their organizations from emerging, as well as existing, application security threats.

These new capabilities in SD Elements help software development and application security teams:

• Improve collaboration between security, software development, hardware engineering, and DevOps teams
• Improve developer productivity
• Obtain visibility into the security and compliance state of software across an organization’s entire software portfolio
• Reduce time and costs associated with demonstrating compliance with multiple security standards and regulations

Updated Threat Model Diagrams & Terminology

When a software (or application) threat is identified, just knowing what the threat is isn’t enough. Software development and application security teams need to know not just what the threat is, but where the threat is and the remediation priority, as well as where and how to implement required countermeasures. However, since most software developers are not experts in threat modeling and software security, identifying and prioritizing threats and knowing where they reside and how to implement appropriate countermeasures based on industry best practices can be challenging. Application security experts can help, but in most organizations, application security experts are spread thin, making it hard for software developers to know exactly what they need to do in order to properly remediate software threats as a part of their development workflow.

By surfacing threats directly in threat model diagrams, SD Elements now makes it easier than ever before for developers to understand where threats reside so they can better understand not only the threat itself, but also the countermeasures they need to implement to remediate the threat. Since SD Elements surfaces threats directly in threat model diagrams, application security and software development teams can now quickly see threats specific to the project and its components displayed in a side panel on the diagram canvas, as well as review the threats on a new Threats list page specific to the project. These new capabilities help software development and application security teams better understand not only where the threat exists, but also where the countermeasure should be applied.

In addition, the default language used for threat modeling in SD Elements 2022.3 has also been updated to align more closely with language used in the software security industry. For example, instead of “Problems” and “Tasks,” the default language in SD Elements is now “Threats,” “Weaknesses,” and “Countermeasures” (“Weaknesses” replaces “Problems,” and “Countermeasures” replaces “Tasks”).

“Problems” and “Tasks” terminology in SD Elements prior to SD Elements 2022.3

New “Threats,” and “Weakness,” and “Countermeasures” in SD Elements 2022.3

This change means SD Elements now uses language that is more relevant to both security and software development teams, and will make it easier for teams to collaborate, measure, and report on the success of their threat modeling programs.

Learn More:  Threat Modeling Video | Threat Modeling Datasheet

New Customizable Dashboards

Releasing vulnerable software can negatively impact brand reputation, customer trust, and an organization’s bottom line. Business leaders and the board understand the importance of managing application security risk. However, software development and application security leaders often struggle to articulate how their software threat modeling and secure development activities measurably reduce business risk.

Teams can spend hours trying to manually compile the threat, security, and compliance data from multiple sources. Aggregating data and massaging it into reports that show the maturity and effectiveness of an application’s security profile to business executives and the board can take hours or days more. And time spent manually compiling and generating reports means less time spent building new product capabilities, further hardening application security, and addressing technical debt.

SD Elements Advanced Reporting makes complex threat, countermeasure, security control, and compliance data accessible and easy to digest. The new, highly configurable Advanced Reports capabilities (first released in SD Elements 2022.2), when now combined with the new customizable dashboards available in SD Elements 2022.3, make it easier than ever before for software development and application security teams to track the state of their software security program. Teams can create rich data visualizations and dashboards that identify the most prevalent threats and weaknesses across the organization’s software portfolio. Teams also have the data, reporting, and analytics capabilities they need to perform in-depth analyses of their software security and compliance posture for individual software projects, as well as across their entire software (or application) portfolio.

Learn More:  Advanced Reporting Video | Advanced Reporting Datasheet

New Security Content

SD Elements 2022.3 also now provides the following security content library updates:

• Infrastructure as Code (IaC): SD Elements continues to enhance its support for infrastructure as code (IaC) by now providing recommended security controls (countermeasures) and guidelines (how-tos or additional requirements for tasks) for software developers working on DevSeOps teams using Ansible. 
• Automotive security: For companies who develop software for the automotive industry and are concerned with cyber risks and threats associated with connected vehicles, new automotive supply chain (UNECE WP.29 / R155) security content is now available.
• U.S. federal government: For organizations who develop software for the U.S. federal government, SD Elements now provides new content for the Control Correlation Identifier (CCI) framework. For organizations who must meet U.S. federal government security requirements in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” SD Elements now provides new content for Security Measures for EO-Critical Software Use and new content for Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397), which maps the threat modeling recommended standard in NIST to verification tasks in SD Elements. Vendors who supply software to the U.S. federal government can use this report to show they are performing threat modeling according to the NIST guidelines.

New Micro Focus Fortify On Demand Integration

Vulnerability scans are a critical part of ensuring software (or application) security and compliance requirements are met. All organizations who develop software must have clear visibility into any vulnerabilities and weaknesses in their code in order to manage risk effectively.

Many organizations use security testing tools to detect and report on weaknesses in code, and SD Elements already integrates with many static application security testing (SAST), dynamic application security testing (DAST), and software composition analyst (SCA) tools.

New in SD Elements 2022.3 is an integration with Micro Focus Fortify on Demand, a cloud-based security-as-a-service solution from Micro Focus that can quickly scan, assess, and report on the security of applications.

Mapping test results from Micro Focus Fortify on Demand back to required threat countermeasures and security controls in SD Elements to verify that security requirements have been met can be a manual, time-consuming process. And receiving results from testing tools late in the software development process can lead to unwelcome surprises and delayed release cycles.

However, the new SD Elements Micro Focus Fortify on Demand integration enables application security and software development teams who use both SD Elements and Micro Focus Fortify on Demand to automatically view application security assessment results from Fortify on Demand within SD Elements, as well as verify security requirements identified and tracked by SD Elements based on Fortify on Demand assessment results. Findings from Fortify on Demand assessments are automatically retrieved and mapped to security requirements within SD Elements.

Note: SD Elements already integrates with many other  Micro Focus products, including Micro Focus Application Lifecycle Management (ALM), Micro Focus Fortify Software Security Center, Micro Focus Fortify Webinspect, and  Micro Focus Fortify Static Code Analyzer.

Just-in-time-training (JITT) Updates

New just-in-time training micromodules have been added in SD Elements 2022.3 for Terraform (IaC) and the PCI Software Security Framework (SSF). For a complete list of the 800+ JITT micromodules now available within SD Elements, please see Security Compass Training Curriculum.  (If you do not currently have a JITT subscription and would like to learn more, please contact Customer Success.)

New eLearning Courses

The following Security Compass eLearning courses are also now available:

• OWASP Top 10 (2021)
• OAuth Security Fundamentals
• Defending Terraform
• PCI SSF Compliance

To learn more about these new courses, as well as the more than 40+ other eLearning courses covering application security, operational security, and compliance fundamental and best practices, visit www.securitycompass.com/training/.

Learn More

The new SD Elements 2022.3 release helps organizations who develop software save time and money and reduce cyber risks by taking an automated, developer-centric approach to software threat modeling, secure development, and compliance. This approach enables software developers and security teams to:

• Continuously model threats at scale
• Proactively write code that significantly reduces risks and remediation costs
• Demonstrate compliance with secure software development standards more easily
• Accelerate software time to market

If you are a current SD Elements customer, watch the SD Elements 2022.3 Release Overview video or reach out to your Customer Success Manager to learn more.

If you are new to SD Elements, request a demo to learn more.

The post 2022.3 SD Elements Release Update appeared first on Security Compass.

At Security Compass, we are committed to helping our customers mitigate cyber security risks at scale by automating threat modeling. We are making continuous investments in our SD Elements platform to enable a developer-centric approach to threat modeling. Developer-centric threat modeling prioritizes the speed of software development without compromising the security and compliance required to release. It shifts security ownership from siloed security teams to a collaborative approach that is easier for development teams to understand and support. Developer-centric threat modeling makes it easier for key stakeholders, especially developers, to contribute to building secure and compliant software early and often.

To that end, we are excited to share what’s coming in the SD Elements 2022.2 release, which will become generally available (GA) on July 9th. (Current SD Elements customers can preview the release on their CD instance as of June 24th, two weeks before GA.)

This release executes the plan we shared with you in March 2022 to move to a quarterly release cadence so that you can benefit from more robust and predictable releases.

What’s New In the SD Elements 2022.2 Release?

Threat Model Diagrams

Threat model diagrams play an essential role in identifying, understanding, and communicating threats among development and security teams. A lack of consistency in diagramming can lead to ineffective communication and hamper collaboration between teams. In fact, in our 2021 report on the state of threat modeling, 43% of respondents cited a lack of consistency as a key challenge their companies face as they conduct threat modeling.

In SD Elements 2022.2, new automated threat model diagrams help drive standardization across teams and simplify the task of creating threat models, especially for users with limited security knowledge. SD Elements automatically places architectural components into a diagram based on selections made in the survey. The automation from survey to diagram ensures consistency in the graphical representation of components across projects and augments the survey by identifying and communicating threats effectively to stakeholders.

Threat model diagram in SD Elements

How It Works

Upon completion of the Survey, users have the option to generate a diagram for the project. The diagram feature complements the survey and helps users identify, understand, and communicate threats among software teams, security teams, and non-security stakeholders. SD Elements automatically places the architectural components previously selected in the survey on the diagram. Users can then improve the diagram by adding or editing components, labels, zones, and data flows between components. Users can also choose to generate a diagram for each project release.

Reusable Components

As organizations adopt microservices or multi-component software development approaches, securing independent, distributed, and modular services can challenge development, security, and operations teams. Identifying the properties of these services or components, understanding the flaws and threats, and managing the appropriate threat countermeasures can be daunting.

Reusable components in SD Elements allow users to model multi-component software applications effectively. The team that owns or is responsible for the service or component can now specify the controls that are already addressed and any additional controls to be implemented. A component can be an internal service that provides critical functionality such as authentication, authorization, and encryption on databases, infrastructures, or third-party libraries. It can also be non-technical components relating to policies and regulations.

By using reusable components, development teams can take advantage of controls that are already implemented in the components and focus their attention on implementing relevant tasks for the part of the software they are developing. This feature helps increase productivity as teams can build, segregate, and reuse trusted components to build complex multi-component software products. It also helps improve overall software security and facilitates faster product releases.

How It Works

A new object called components is now included in the SD Elements Library. Customers can leverage pre-built reusable components and create, edit, and delete custom components.

Once a component is activated in the library, the component can be added to projects. Selecting a component’s mapped answer in the survey adds the component to the project without requiring any additional action from the users. When a component is added to a project, overlapping tasks that are in the component’s Mark as Complete list and tasks that are relevant in the project will be automatically updated to the Complete status. Tasks in the Mark as incomplete list will be added if they are not already in the project task list. If the task exists, the status gets updated to Incomplete. This automation saves the team working on the project from repeatedly validating the completion of these redundant tasks.

Custom Component setup

Custom Component placement in the survey

Advanced Reports

Gaining buy-in from internal stakeholders is difficult without supporting data that demonstrates current and potential software security and compliance issues in your portfolio and the progress of your security program.

SD Elements’ new advanced reporting capabilities gives users the power to answer the “data need of the hour” by quickly creating custom reports or by starting with pre-built report templates. Need to know the most prevalent threats and weaknesses across your portfolio? Or the status of compliance with a particular risk policy across projects? You can now find the answers faster than ever before. Our new reporting capabilities empower users to dive into the real-time status of software security and compliance across your portfolio and share data analyses in visual and easy-to-interpret format across different functions or departments. Sample reports are also available to allow teams to quickly export and integrate SD Elements data into external reporting systems.

Pre-built report templates

Custom report with data visualization

How It Works

In advanced reports, users can select dimensions or attributes from various objects such as applications, problems, tasks, and components. Examples of attributes users can analyze are application name, application risk compliance status, and task status. Users can then select the measures or qualitative metrics, such as task count and project compliance count, by which the dimensions will be tallied or summarized. Filtering of dimensions is available to narrow down the results, which can be visualized in table, number, pie chart, or bar chart.

Other New Product Content

Updates to the Content Library in SD Elements 2022.2 include:

• Support for infrastructure as code (IaC) security: IaC automates the provisioning, configuration, and management of infrastructure through formatted, machine-readable files or templates. SD Elements now equips developers and DevOps teams with the knowledge to securely use Terraform tools to automate the provisioning, configuring, and management of infrastructure when they need it. These security recommendations are offered in the form of tasks and just-in-time training (JITT) modules.
• NIST Secure Software Development Framework (SSDF) support: The President’s Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. In response, NIST has revised the SSDF to enable software producers, such as commercial-off-the-shelf (COTS) product vendors, government-off-the-shelf (GOTS) software developers, contractors, and other custom software developers, to follow the recommended actions or outcomes in secure software development practices to meet the objectives of EO 14028.SD Elements helps you incorporate SSDF guidelines (NIST SP 800-218) into your software development lifecycle to enhance the security and integrity of the software supply chain. Our platform also provides evidence of completion of the recommended controls in the NIST SP 800-218.
• The California Privacy Rights Act of 2020 (CPRA): The California Privacy Rights Act (CPRA) applies to businesses that:
  • Have annual revenue of 25 million dollars or higher, or
  • Process the personal information of 100K or more California residents/devices, or
  • Derive 50% of their revenue from Californians’ personal information.

CPRA will take effect on January 1, 2023. CPRA amends and enhances California Consumer Privacy Act (CCPA). The new content in SDElements provides guidelines for compliance with CPRA in the form of additional requirements based on the California Civil Code for consumer privacy. A new compliance report that maps privacy tasks to California Civil Code (CPRA and CCPA) is also now available in 2022.2.Developers and privacy officers of any company with the above characteristics will benefit from the new content in SDElements.

• Privacy content and privacy score improvements: We clarified the role of the different personas (for example, controllers, processors) and the required evidence of completion for the different tasks for all privacy content in the SD Elements content library. We also revised and reviewed the task score of the relevant privacy tasks based on a Security Compass-defined framework.

Integration with Black Duck® Software Composition Analysis

Forrester reports that 75% of all code bases consist of open-source code. Millions of open source projects are available online in code repositories and are stacked upon to build modern development pipelines, which can create a myriad of security issues.

To this end, we’ve expanded our integration ecosystem by adding an integration with Black Duck® software composition analysis (SCA) tool powered by Synopsis. Through this automated integration, SD Elements simplifies the validation of security control implementation for security and software development teams to help minimize risks associated with open source and other third-party software.

How It Works

This new integration allows SD Elements users to integrate with their Black Duck instance, allowing them to request a scan within SD Elements manually and/or on a scheduled basis. A scan request from a project in SD Elements triggers an API call to Black Duck to retrieve the latest scan results pertinent to the project. Scan results are then automatically synced and mapped to the project tasks generated by SD Elements related to open-source/third-party libraries. At any time, SD Elements users can review the total number of vulnerabilities found in all components and break them down by severity status. To access details of vulnerabilities found, the results reference a link to redirect users to results within Black Duck.

Results of Black Duck integration in SD Elements

New Just-in-Time Training

Just-in-time training micromodules in SD Elements 2022.2 allows users to receive bite-sized chunks of highly relevant security training without disrupting their workflow. These micromodules have been mapped to the built-in SDE tasks and can be delivered direction within issues sent to issue trackers.

In the SD Elements 2022.2 release, 114 new just-in-time training micromodules have been added to SD Elements, covering topics such as OWASP Top 10 2021, Defending Angular, OAuth, and OpSec Fundamentals. As a result, SD Elements has over 600 micromodules that cover a wide variety of secure coding, secure design, cloud, and compliance topics.

Learn More

To learn more about the newest capabilities of SD Elements, register for our webinar on Tuesday, June 28th, at 1pm EDT. See a demo of these new features and ask the product experts all of your questions. Reserve your spot today!

The post SD Elements 2022.2 Release Update appeared first on Security Compass.