Paladion SSAP ensures that your software application(s) are designed, developed and deployed in a secure environment from the beginning.
Paladion SSAP keeps an eye on the business as well as security implications your software has on your organization and will continue to do so well after deployment.
Paladion SSAP helps your organization avoid common as well as evolving security threats and vulnerabilities your application has or may have well before the deployment stage.
Our SSAP is a repeatable and scalable process which can be extended to all applications in your organization. The software security framework developed as part of the project enables your organization decide the set of applications and the frequency the various security tests need to be conducted.
Identify security vulnerabilities and bugs in your software or application due to insecure coding practices or errors.
Our SSAP is based on six phases namely current state assessment (based on OpenSAMM framework), risk assessment (including both technical and process assessment), security standard definition, SSA Governance definition and SSA Plynt Certification.
As part of the assessment, current capabilities related to software security will be benchmarked against Open SAMM Framework. The four modules within Open SAMM i.e.. Governance, Construction, Verification and Deployment. The 12 security practices under the four security domains will be verified. A checklist and interview based approach will be considered for the assessment.
Finally as part of the current state assessment, maturity rating against Open SAMM maturity levels will be identified.
As part of this phase security standards will be developed for each of the critical applications for which the risk assessments were conducted. The standards will be developed taking into consideration the assessment results and the business requirements and the technical limitations if any. The development standards may include secure coding and applications security standard; Deployment standards will include the baseline security standards for the operating system, databases and software security tools; Process review will result in definition of application monitoring standards.
Application specific assessment will be conducted from phase 2 onwards of the SSAP. The critical applications for the organization shall be identified and risk assessment will be conducted for those set of applications. Risk assessment activity is split into four different levels of assessments covering Design review (design documents and the security requirements of the application will be reviewed), Development review (source code review and application security testing), Deployment Review (underlying infrastructure of the applications and the software security tools will be reviewed) and process review (review of the processes followed in application development and maintenance)
As part of this phase, the governing policies and procedures for the success of SSAP will be defined along with the roles and responsibilities. Paladion will also develop a software security framework for the organization which helps the organization in deciding the security controls and security testing cycles of all of their applications. The process required for secure software development and deployment namely secure coding guidelines, source code version controlling process, change and release management, software license management etc will be defined as part of this phase.
Paladion will provide training and awareness sessions as part of this phase to different stream of users. Secure coding training will be specific for the developers, platform specific training will be conducted for the developers as well as the deployers and general security awareness training will be provided for other employees in the organization.
A master implementation roadmap will be developed taking into account the current state assessment, risk assessment, SSA standards and process and the defined governance structure. The master plan will largely include the following:
• Implementation of required organizational structure to operationalize the defined operating model for Software Security Assurance.
• Implementation of new/updated SSA processes.
• Implementation of new technologies.
• Improvements in the existing technologies.
SSA Plynt Certification
Paladion also proposes to certify the Software Security Assurance Program of the organization through “SSAP Plynt Certification”. Maturity of the program and risk assessment will be conducted prior to the certification. The certification will be valid for a period of one year, after which the certification needs to be renewed by conducting a maturity assessment and risk assessment.