Secure SDLC Program Review
Cyber TRAM offers a comprehensive review of the organization’s overall security assurance program. This helps in identifying gaps and optimize security activities within the SDLC. In addition, the review ensures that the development practice include proactive controls and reactive validation of the controls within the lifecycle.
Cyber TRAM offers a program maturity assessment by using industry standards such as OpenSAMM or BSIMM. This helps organizations in making strategic decisions about their roadmap and the level of maturity they want to achieve.
Application Security Architecture Review
The purpose of an Application Security Architecture Review (ASAR) is to assess the overall application’s architecture and identify potential gaps with respect to security controls and industry best practices.
Based on Cyber TRAM’s extensive experience in application security, we often observe that up to half of the software defects that result in security issues are flaws in design. Focusing efforts on static or dynamic testing ignores half of the problems that expose organizations to attack. Cyber TRAM’s approach is to work in a collaborative manner with the application development team to identify and assess how the application handles various security domains with the architecture. These security domains include credential management, access provisioning, authentication and authorization, access governance, application security, supporting infrastructure security, data security, and security monitoring.
Cyber TRAM’s methodology influenced by industry best practices including:
- OWASP Application Security Verification Standard (“ASVS”)
- OWASP Secure Coding Practices
- OWASP Access Control Guidelines
- NIST SP 800-63-2
- NIST SP 800-57
- NIST Framework for Improving Critical Infrastructure Cyber Security
- SANS Critical Controls for Effective Cyber Defense (“CSC”)
DevSecOps While DevOps refers to the collaborative environment between the development, testing and operations teams in order to achieve continuous delivery, DevSecOps involves the integration of the security component into the DevOps process.
Cyber TRAM is one of the few major providers of end-to-end DevSecOps Consulting Services. Our consultants specialize in assessment, implementation and support for the DevSecOps initiatives of our clients spanning from simple to complex enterprise-level IT projects.
We develop consultative solutions that enable clients to secure product development with DevSecOps capabilities. We produce tailored DevSecOps platforms integrating security into areas such as build automation, test automation, deployment automation, monitoring, environment management and others.
Secure Development Training
Cyber TRAM Secure Development training is an interactive 1 or 2-day course offering that provides developers with the training needed to write highly secure applications and web services.
This class is a combination of lecture and hands on security testing using a custom-built vulnerable lab environment. Participants will not only learn about the common threats to web application, but also how to exploit the vulnerabilities and to remediate them.
Key Learning Objectives
- How to identify the existence of common vulnerabilities
- How to protect against common injection attacks
- How to build secure authentication mechanisms
- How to store information securely
- How to protect against CSRF and Clickjacking
- Understanding of modern HTTP security headers
- How to incorporate security practices into various stages of the SDLC