The technology, people, and processes your DevOps team needs to achieve security at speed

Whether you’re building a new application from the ground up or driving the growth of an existing product, embedding security into your DevOps process is an essential way to save your team time and cost, while setting your organization up for long term success

Built as security rocket fuel, our Eureka DevSecOps managed service has been developed to provide your DevOps teams the people, processes and technology needed to build your security program from the ground up, while maintaining speed in your agile software development life cycle (SDLC).

The Building Blocks of DevSecOps

 

People

We’ll assign a dedicated security consultant to your team who will champion your security efforts. They will integrate closely with your team to provide weekly support throughout security stand-ups, sprint planning sessions and advise on all other aspects of your security program.

Outside of your dedicated security consultant you will have full access to Forward Security’s team of application & cloud security experts to ensure your security needs are covered from end-to-end.

 

Processes

We’ll work closely with your team to instill the knowledge and industry leading practices needed to build security fundamentals into your day-to-day processes. This includes the adaptation of OWASP’s secure coding practices, along with their Application Security Verification Standard (ASVS).

Periodically through our annual engagement the Forward Security team will host formal training sessions with your team to cover topics such as secure application development, security awareness, and threat modelling.

 

Technology

During the discovery process our team will work to identify the right mix of security tools for the on-going success of your business. These tools can cover: Static Code Analysis, Dependency Checking, Dynamic App Scanning, Infrastructure Scanning, and TLS Scanning.

A secure Eureka CI/CD tool container will be developed by our team containing the selected tools, which can be easily deployment into your environment and becomes a long-term asset of your business.

 

People

 

Processes

 

Technology

We’ll assign a dedicated security consultant to your team who will champion your security efforts. They will integrate closely with your team to provide weekly support throughout security stand-ups, sprint planning sessions and advise on all other aspects of your security program.

Outside of your dedicated security consultant you will have full access to Forward Security’s team of application & cloud security experts to ensure your security needs are covered from end-to-end.

We’ll work closely with your team to instill the knowledge and industry leading practices needed to build security fundamentals into your day-to-day processes. This includes the adaptation of OWASP’s secure coding practices, along with their Application Security Verification Standard (ASVS).

Periodically through our annual engagement the Forward Security team will host formal training sessions with your team to cover topics such as secure application development, security awareness, and threat modelling.

During the discovery process our team will work to identify the right mix of security tools for the on-going success of your business. These tools can cover: Static Code Analysis, Dependency Checking, Dynamic App Scanning, Infrastructure Scanning, and TLS Scanning.

A secure Eureka CI/CD tool container will be developed by our team containing the selected tools, which can be easily deployment into your environment and becomes a long-term asset of your business.

Software Security Touchpoints

Our Service Packages:

Level 1

Level 2

Level 3

» Ideal for organizations:

Without internal application security expertise, building a traditional, web, or mobile application

Without internal application security expertise, building a traditional, web, or mobile application, and require the ability to block vulnerable 3rd party components, as well as a higher level of application security maturity through adoption of standards.

 

Without internal application security expertise, building a traditional, web, or mobile application, and require the ability to block vulnerable 3rd party components, as well as a higher level of application security maturity through adoption of standards and continuous threat modelling.

 

Technology

 »  Code security analysis:

OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails)*

OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails)*

OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails)*

 »  3rd party component vulnerability scanning: 

OWASP Dependency Check, MergeBase scanner (unlimited scans)*

 OWASP Dependency Check, MergeBase (unlimited scans, component level blocking)*

OWASP Dependency Check, MergeBase (unlimited scans, component and method level blocking)*

»  Dynamic application security testing:

OWAP ZAP

OWAP ZAP

OWAP ZAP

»  Infrastructure scanning:

OpenVAS, Nessus

OpenVAS, Nessus

OpenVAS, Nessus

»  SSL/TLS configuration analysis:

SSLyze

SSLyze

SSLyze

People

» DevSecOps team member: 

 12 hrs/month

18 hrs/month

24 hrs/month

Process

» Training:

Secure application development, threat modelling

Secure application development, security awareness, threat modelling

Secure application development, security awareness, threat modelling, hands-on AppSec workshop

» Application security standard adoption:

OWASP ASVS

OWASP ASVS

OWASP ASVS

*Open source tools are included and many commercial tools can be incorporated upon request (Paid licenses are the client’s responsibility)

Our Service Packages:

Level 1

Ideal for organizations without internal application security expertise, building a traditional, web, or mobile application.


Technology

»  Code security analysis: OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails)*

»  3rd party component vulnerability scanning: OWASP Dependency Check, MergeBase scanner (unlimited scans)*

»  Dynamic application security testing (Active and Passive): OWAP ZAP 

»  Infrastructure scanning: OpenVAS, Nessus

»  SSL/TLS configuration analysis: SSLyze

People

» DevSecOps team member: 12 hrs/mo

Process

» Secure application development, threat modelling

» Application security standard adoption: OWASP ASVS

Level 2

Ideal for organizations without internal application security expertise, building a traditional, web, or mobile application, and require the ability to block vulnerable 3rd party components, as well as a higher level of application security maturity through adoption of standards.

Technology

»  Code security analysis: OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails),*

»  3rd party component vulnerability scanning: OWASP Dependency Check, MergeBase scanner (unlimited scans, component level blocking)*

»  Dynamic application security testing (Active and Passive): OWAP ZAP 

»  Infrastructure scanning: OpenVAS, Nessus

»  SSL/TLS configuration analysis: SSLyze

People

» DevSecOps team member: 18 hrs/mo

Process

» Secure application development, threat modelling, security awareness training

» Application security standard adoption: OWASP ASVS

Level 3

Ideal for organizations without internal application security expertise, building a traditional, web, or mobile application, and require the ability to block vulnerable 3rd party components, as well as a higher level of application security maturity through adoption of standards and continuous threat modelling.

Technology

»  Code security analysis: OWASP Find Sec Bugs (Java, Kotlin, Groovy, Scala), Bandit (Python), Brakeman (Ruby on Rails),*

»  3rd party component vulnerability scanning: OWASP Dependency Check, MergeBase scanner (unlimited scans, component level blocking, method level blocking)*

»  Dynamic application security testing (Active and Passive): OWAP ZAP 

»  Infrastructure scanning: OpenVAS, Nessus

»  SSL/TLS configuration analysis: SSLyze

People

» DevSecOps team member: 24 hrs/mo

Process

» Secure application development, threat modelling, security awareness training, hands-on AppSec workshop

» Application security standard adoption: OWASP ASVS

 

Close All

*Open source tools are included and many commercial tools can be incorporated upon request (Paid licenses are the client’s responsibility)

Talk with us

Get in touch to book a complimentary security consultation