Kroll understands that building and maintaining a successful application security (AppSec) program is not for the faint of heart.
A good AppSec program requires sound strategy and supporting processes to help guide software product teams in practicing secure coding habits, investing in the right security tools to reduce organizational risk and programs to measure the effectiveness of application security controls.
This may require a complete culture shift within your engineering and security teams to embrace a more secure software development lifecycle (SDLC).
Organizations will speed up their remediation of coding and vulnerabilities identified by static application security testing (SAST) by 30% with code suggestions applied from automated solutions, up from less than 1% today, reducing time spent fixing bugs by 50%
In May 2021, President Biden’s Executive Order 14028 accelerated U.S. Government’s efforts to secure the software supply chain with a host of standards and requirements, and ultimately created a new software security framework: NIST SP 800-208, a Secure Software Development Framework (SSDF). The SSDF lays out security practices, as well as tasks under each practice, that help companies build a fundamentally sound software security program.
In addition to the SSDF, our experts are also familiar with other proven standards and frameworks, such as the ISO 27034, OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM).
As part of Kroll’s application security services, our product security experts assist clients in the end-to-end design, build and deployment of an application security program. We’re not just helping your team implement static (SAST) and/or dynamic application security testing (DAST) —our goal is to help organizations adopt programs that will enable them to effectively manage the security of their application portfolios while being nimble enough to address changes in business needs, technologies and operating environments.
Kroll experts provide engineering and security teams with the tools, processes, guidelines and confidence necessary to offer innovative products to their internal and external customers without exposing them to security vulnerabilities.
We do this by offering capabilities in the following key areas:
More detailed descriptions of these services are below:
Objectives in the development of a Kroll AppSec program may include:
Application threat modeling is the process by which a development team analyzes how to protect an application by identifying and mitigating potential design and/or implementation weaknesses. By identifying potential weaknesses in a system, the development team can pinpoint design and implementation issues that require mitigation more efficiently.
We believe that organizations have an obligation to understand the risks they face. Without an effective program, an organization cannot effectively allocate the resources available to maximize its protection.
The Kroll team has created a framework that enables developers to perform application threat modeling with the help of a full suite of templates, standards, common vulnerabilities, security controls and process documentation. By also utilizing a comprehensive range of tooling, development teams benefit from reliable vulnerability coverage and from knowing that threats have been mitigated.
Learn More About Kroll’s Application Threat Modeling Capabilities
Kroll works with you to create custom security automation and integration solutions for greater security of your continuous integration and continuous delivery (CI/CD) pipelines. We help you integrate and onboard SAST, SCA, IaC and DAST into your CI/CD deployments, so you can find and address security vulnerabilities sooner.
Kroll’s application security experts have both the deep technical backgrounds and integration experience to help clients secure software in various states from pre-deployment (non-running) to post-deployment (running state).
A security champions program is fundamental to the overall success of a modern and mature AppSec program, as it fosters an organization-wide security culture and embeds a security conscience within the development team. Kroll’s team of experts design and implement security champion programs with the goal of helping to scale your broader AppSec program to align with company goals.
We assist with each step in establishing your security champions program, including program management, establishing a community and network, security champion recruitment, development, support, as well as development and maintenance of a central knowledge base. We also help in providing training through brown bag meetings and table-top walk-through sessions.
Agile pen testing is a systematic way to visualize and remediate possible risks in an application within its existing deployment lifecycle. In the same way that features are added or updated constantly throughout a product launch, continuous security assessments ensure the security of those new features are being verified on an ongoing basis.
Agile software development programs are common among app development teams, but penetration testing largely remains an activity performed apart from the product release schedule. Our agile pen testing approach is designed to be seamlessly incorporated into your software development lifecycle to reduce the amount of time between coding tweaks and security assessments, ensuring that code does not go live with unidentified risks.
Kroll’s deep expertise in program planning and onboarding with teams largely eliminates undue distractions to current development processes. In addition, our dedicated program team maintains sharp focus on instilling institutional knowledge by providing continuity and support for making security-forward technical decisions.
Kroll’s secure SDLC review adapts two industry-recognized frameworks, the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218, also known as Security Software Development Framework (SSDF). Kroll’s review provides you with complete view of your software and application security capabilities, identifies gaps, and uncover opportunities for improvement to both capabilities and overall program maturity to help:
Key Benefits
All our application security services can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer, along with a variety of services like penetration testing, red team and tabletop exercises. With the retainer, in addition to packaging all solutions under a flexible package, clients gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.
Kroll’s solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions related to risk, governance and growth.
Our team serves clients in 140 countries across six continents, spanning nearly every industry and sector. To help our clients stay ahead of today’s complex demands, we developed AppSec services that enable faster, smarter and more sustainable business decisions.
Our goal is to help companies make application security a strategic initiative that considers the current threat landscape, changes in software development and customer demand for products that can be trusted.
Discover how Kroll partnered with their client to gain a comprehensive understanding of its unique infrastructure and security needs, identifying gaps and recommending data-driven insights to achieve a sustainable and highly effective security program.
Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.
Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.
Helping organizations manage CFIUS, Team Telecom and FOCI requirements.
Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.
by Jamy Casteel