SOFTWARE ASSURANCE OVERVIEW
Cyberattacks on software technologies, the new normal in malicious online security exploits, are where the majority of new vulnerabilities are said to be found and security breaches said to occur—making application security (AppSec) not only an information asset battleground, but also a mandatory part of the Software Development Lifecycle (SDLC). So despite wisely investing in secure, hardened networks and infrastructures, organizations face ongoing threats to their ability to conduct business and interact with customers at the highest levels of confidentiality, integrity, and availability. To gain assurance that web, mobile, and other external and internal applications are secure requires an orchestrated approach that reaches all software touching stakeholders and end users.
NSSPlus’s Software Assurance service delivery solutions portfolio, honed over 16 years of relevant past performance, offers just such an approach.
Software Assurance systematically eliminates vulnerability risk in software by identifying and removing vulnerabilities and making sure new ones are not introduced. The main objective of Software Assurance is to promote secure development practices throughout the application SDLC.
Knowledge and Expertise
NSSPlus Software Assurance Teams (SAT) have the proven knowledge and expertise necessary to create and manage Software Assurance Programs (SwAPs) that facilitate development and management of a systematic way to identify and eliminate vulnerability risk in software and applications and ensure no new vulnerabilities are introduced. The SAT is responsible for:
- Analyzing application source code
- Validating application compliance with federal and state policies, procedures, guidelines, and standards
- Identifying AppSec vulnerabilities caused by software defects in the source code
- Collaborating with discrete software development teams to mitigate/remediate vulnerability findings
- Leveraging source code analysis software such as Fortify 360 and Yasca (open source code analyzer)
- Working with wide‑ranging software languages
- Performing automated dynamic scanning on the types of vulnerabilities that skilled hackers exploit, such as authentication, access control, and input validation, using the VSOC analytic toolkit, which includes HPE Security Fortify, HP WebInspect, and manual testing
Software Assurance Programs
The SAT creates and manages SwAPs to promote secure development practices throughout the application lifecycle. The SAT performs automated dynamic scanning using automated tools such as HPE Security Fortify, HP WebInspect, and manual testing that focuses on the types of vulnerabilities skilled hackers exploit, including:
- Access control
- Input validation
- Session management
- Business logic testing
Our Software Assurance knowledgebase includes technical research on best practices in the Application Security industry, leveraging open source market research groups like the Open Web Application Security Project (OWASP). OWASP provides impartial, practical information about AppSec and produces knowledge‑based documentation, including:
- OWASP Top 10, which lists the 10 most critical web AppSec risks
- Description of risks
- Examples of vulnerabilities and attacks
- Guidance on how to avoid risks
- References to other related resources
Technical Approach and Methodology
NSSPlus’s software assurance expertise leverages threat intelligence guidance from open source and commercial sources, including OWASP. Using the 4‑step approach depicted in Figure 1, the SAT provides lifecycle AppSec services. Although the source code base grows over time, the SAT verifies security defects are correctly remediated.
Throughout the SwAP, the team uses the following methods to ensure that security vulnerabilities in web applications (WebApps) are identified during the application lifecycle:
Threat modeling—Identifying threats, attacks, vulnerabilities, and countermeasures for applications in the design phase.
- Security code reviews—Integrating reviews throughout unit‑level development milestones or development sprint cycles (iterations). This reduces costs and eliminates considerable rework and project delays. In the final phase of the project, the team reinspects the entire code to ensure vulnerabilities were mitigated.
- Manual penetration testing—Completing manual penetration testing in a test and development environment. This allows the SAT to remediate identified vulnerabilities before the software’s release to the production environment.
- Automated vulnerability scanners—Using automated tools that aid penetration testers by identifying the vulnerabilities present.