Coming from a family of civil engineers, I always knew that it is a rigorous process to ensure that a building is safe and secure for its occupants. But, its the first time I got a chance to see the complete construction lifecycle when they started building a multi-story business complex next to the building I live in.
I have been watching the building being constructed since day one. These guys spent a large portion of the construction time in making sure that, the design is flaw-less, the construction material being used passes all the strict quality standards and the foundation built was strong enough to hold against the adverse weather conditions. Once the foundation was complete and settled properly, the construction team did not take long to erect the floors on it. It was rather quicker than I anticipated. But, QA process was not lax at any stage.
A software application is no different. If the application is a supply chain system or ERP system - it support businesses and if it is used in hospitals, airplanes or cars - lives depend on it. Furthermore, it goes through a similar lifecycle.
Considering how important software is to businesses and lives, one would assume that software goes through a comparable security verification process to a building. But unfortunately not much is done to ensure the security of the software. Security is still considered as a last step in getting the software out of the door, if at all. When a security issue is identified in the design of the software, the chances of it getting fixed are rare due to the huge cost involved in fixing the issue. In that case, either the application is released with the defect or not released at all.
To avoid such surprises and building an application which is secure from inside, security must be considered at each step of the SDLC and activities such as security requirements analysis, threat modelling, security architecture reviews, code reviews and penetration testing should be performed.
Things are easier said than done. No two software systems in an organisation are same and performing all these activities and implementing each and every control in the security book may turn out to be an overkill in some situations while causing unnecessary shake-up in the project cost. Hence, it is essential that organisations identify the correct level of security required for the system. This however may become a little tricky as it requires a specialised skillset and training.
Pure hacking understands this issue and therefore a team of hand picked specialists is brought on board to run its two newly formed security practices:
1. Enterprise Application Security Services
2. Strategic Security Services
"Enterprise application security services" team works closely with clients to ensure that adequate security measures are taken into account during each phase of application development and maintenance i.e. from-the-birth-to-the-death of the application. Furthermore, the team fills in as the security team for the project and delivers the high quality application security services.
"Strategic security services" team is focused on providing security controls and processes at an organisation level. This team works with the clients to identify the gap between the required maturity level of security practices for their organisation and the current maturity level. Once the gap assessment is complete, the team guides the organisations in achieving the required security maturity level.
More details on our programs can be found at http://www.purehacking.com
If you are in doubt about your security needs, you can contact me at Sandeep.Nain (at) purehacking.com