The biggest reason for the proliferation of vulnerable applications is the fact that developers are unaware of actual typical vulnerabilities and the – usually simple – ways to avoid them. Developers, on the other hand, are quite keen on learning secure development practices related to the technologies they employ; thus there is a convenient and simple way to address one of the main sources of security problems, and it has positive HRM outcomes as well. Cloudbreaker came into being on the grounds of a recognized development workshop; hence, our trainers possess appropriate competence and authority to create an educational atmosphere.
Our courses on secure coding are focused on different widely applied development technologies (e.g. JEE, .NET, PHP). During the half-day or two afternoons long training program developers may also learn the fundamentals of secure software development and adopt the way of thinking it requires.
Our training course provided to other selected members of the development process is also noteworthy – see Security champion training program below.
- General IT security awareness
- Secure web development
- Secure development in .NET
- Secure development in Java
- Secure development in PHP
- Security testing of web applications
- MS SDL training
The kind of education we provide is not limited to secure coding only. Our training topics include code analysis, penetration tests and security audits as well. We are glad to transfer our experience as consultants and ethical hackers.
Security awareness evangelization in enterprises
The topic ‘General IT security awareness’ mentioned above is intended not only for developers; improving information security knowledge may be essential for many other actors of the enterprise. Security problems concerning enterprise software are related also to the fact that the business/procurement party department lacks sufficient security awareness as well so security can not be part of the business definition and procurement requirements.
In a joint effort with our training and internal communication partners, we try to make information on application security and risks available to all concerned parties and advertise responsible handling of problems. Besides education, another key area of intervention is the promotion of the injecting security awareness in organizations so that it genuinely infiltrates all activities there.
Adding security to development projects
SeQA, the Security Quality Assurance framework we develop provides a system for the installation of application security practices into organizations and their operation thereafter. However clients can implement SeQA-like measures on their own, they may request the assistance of Cloudbreaker or other counselling agencies to do so. Our services detailed below can also be employed to complement the application of an AppSec regulation.
Our services can also be used individually, as AppSec expert support of development projects (be it either outsourced or internal development):
In order to build appropriate security, it is important to recognize and consider potential attacks and identify the appropriate protection techniques.
We strongly recommend using this expert service during the planning stage of development projects. Even in case of a limited budget, it is essential to schedule at least one consultation with a professional experienced in security matters, especially concerning attacks. When, in turn, security quality is of critical importance, it is advised to rely on the results of a more systematic threat modeling.
Application security competence is necessary to employ at least during the planning stage of software development. The participation of an experienced security expert in the architecture team ensures the enforcement of security aspects in decision making related to project design, and guarantees high professional standard in the planning of security functionality.
Security champion training
Involvement of a security champion is recommended by the MS SDL secure development process methodology advocated by us. In order to prevent any misunderstanding: this person is not a security expert but a key member of the development team, who is there to represent security aspects in the everyday practices of development, e.g. during development and evaluation meetings, at every moment of preparation and decision making.
For this purpose, the given person should accomplish security courses in a devoted manner, and participate in a short training program in order to be able to fulfill this responsible role.
Security testing built into development
A few decades ago development workshops and clients had a hard time acknowledging that quality assurance and testing was an important and integral part of the development process, requiring special expertise; by the same token, security testing is not yet given its due place and significance.
Our goal is to help integrating test cases related to security quality in testing scenarios and make the security requirements check part of the continuous integration (CI) process.
Designing SSDL practices and activities
Integration of secure software development into corporate development culture enables that security is paid due attention throughout the development lifecycle, in every phase from planning to maintaining. Relying on our expert materials, SSDL practices can be implemented on enterprise development platforms (JEE, .NET, etc.).
Hardening development environment
An important aspect of security-aware development is ensuring a reinforced and controlled environment for development and deployment. Measures belonging to this area aim at preventing any unauthorized person to access or modify the source-code.
Designing and supporting other AppSec measures
Having our own regulatory product, the SeQA, and considering our previous assignments as experts, a decade of IAM development and successes in ethical hacking, we are prepared to act as security consultants in processes of software development at corporate companies.
Preparing terms and conditions, guides and technical aid tools
We are at your disposal to draft necessary security regulations, development guides and other technical aid tools to help with compliance audits and in ensuring that development processes meet security and other standards of the given industry (e.g. PCI DSS, CC, etc.).
When using AppSec/SSA (that is the preventive) approach, our audit services listed below have to be integrated in the development process, either built into the testing phase or employed at some stage prior to delivery, as long as there is still time to apply changes to the application to be delivered without violating testing or shipment protocols. Auditing applications already used in live environments is expedient only in case the developer is able to ensure that the results of review will be employed within a short patch cycle, at reasonable cost or under conditions of warranty.
In the Cloudbreaker company we prefer white-box testing. This said, we always recommend our clients to have the code of their software reviewed by our expert, if possible from early stages of development onward, but at the latest during testing phase. Code review in most cases does not concern the entire source code. Review is focused on the following aspects:
- Implementation of security functionality at architectural level,
- Actual implementation of security functions,
- Review of presumably vulnerable parts of the application/system.
Ideally, code review is realized in direct contact with developers: we interview the developer about the code, explain how incidental weaknesses and errors can be remedied and check the corrections.
Pre-delivery penetration testing and evaluation
Control and full penetration testing is executed by our specialized partner, Silent Signal.
Review of documentation
Review of installation and maintainance guides according to the requirements of secure operation.