The BSIMM shows you what you’re doing. MAP helps you set objectives, outlines a strategy to get from where you are today to the objectives, and clarifies the resources you’ll need. We’ll work closely with your key stakeholders to understand your organization’s current state, define an achievable future state, and develop a MAP to advance your software security initiative. The plan covers:
Satellite to ensure a knowledgeable group of software security practitioners are adequately distributed across all your development teams.
Training and Awareness so all SSI stakeholders have sufficient skills to execute the evolving tasks associated with their role.
Attack Intelligence to bring relevant and timely information about attacker actions, security defects, and mitigation techniques into your firm and turn it into actionable guidance for various stakeholders.
Software Development Life Cycle (SDLC) Gates to ensure people and tools include or apply the appropriate software security controls in each software project.
Open Source Management so all open source software used in the firm’s portfolio is known, tracked, maintained, tested, and used in accordance with SSI policies and standards.
Risk and Compliance to enable subject matter experts to periodically determine the risk posture and compliance status of all software in the SSI.
Policy and Standards so appropriate roles maintain complete and current documentation on mandatory actions, events, and characteristics applicable to all the people, process, and technology in the SSI and its application portfolio.
Metrics to ensure all SSI processes are appropriately instrumented, that measurement data become valuable metrics, and that metrics are distributed to everyone who requires them for decision-making.
Vendor Management to prevent software acquired from 3rd-parties from unacceptably increasing the firm’s software security risk and to ensure the appropriate allocation of software security responsibility.
To ensure sufficient portfolio breadth, technical depth, and tailored reporting, we utilize the following:
Penetration Testing, which finds exploitable defects through manual and automated white box and black box testing.
Architecture and Design Review, which uncovers exploitable defects in software architecture through manual white box analysis.
Secure Code Review, which identifies exploitable defects through manual code review and automated static analysis.
Quality Assurance, which finds functional defects and exploitable defects through manual and automated testing.