Security Development Lifecycle (SDL)
We provide training to ensure everyone understands security best practices.
We help define and continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape.
We help define metrics and compliance reporting to Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable.
We perform threat modeling to identify security vulnerabilities, determine risk, and identify mitigations.
We establish design requirements and define standard security features that all engineers should use.
We define and use cryptography standards to ensure the right cryptographic solutions are used to protect data.
We keep an inventory of third-party components and create a plan to evaluate reported vulnerabilities to manage the security risk of using third-party components.
We define, publish, and use a list of approved tools and their associated security checks.
We integrate into CI/CD and perform Static Analysis Security Testing (SAST) on source code before compiling to validate the use of secure coding policies.
We integrate into CI/CD and perform Dynamic Analysis Security Testing (DAST) run-time verification of fully compiled software to test security of fully integrated and running code.
We perform penetration testing to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses.
We establish a standard incident response plan/process to address new threats that can emerge over time.