Rob Deane
Associate Managing Director
Cyber Risk
New York
Application Security Services
Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.
Talk to an AppSec Expert
Watch as Kroll Director of Application Security Advisory Services, Rahul Raghavan explains what application security is, why it’s important and Kroll’s appsec approach.
Kroll understands that building and maintaining a successful application security (AppSec) program is not for the faint of heart.
A good AppSec program requires sound strategy and supporting processes to help guide software product teams in practicing secure coding habits, investing in the right security tools to reduce organizational risk and programs to measure the effectiveness of application security controls.
This may require a complete culture shift within your engineering and security teams to embrace a more secure software development lifecycle (SDLC).
The State of Application Security
- Gartner’s Magic Quadrant for Application Security Testing postulates that by 2025:
- 70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated
Organizations will speed up their remediation of coding and vulnerabilities identified by static application security testing (SAST) by 30% with code suggestions applied from automated solutions, up from less than 1% today, reducing time spent fixing bugs by 50%
In May 2021, President Biden’s Executive Order 14028 accelerated U.S. Government’s efforts to secure the software supply chain with a host of standards and requirements, and ultimately created a new software security framework: NIST SP 800-208, a Secure Software Development Framework (SSDF). The SSDF lays out security practices, as well as tasks under each practice, that help companies build a fundamentally sound software security program.
In addition to the SSDF, our experts are also familiar with other proven standards and frameworks, such as the ISO 27034, OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM).
As part of Kroll’s application security services, our product security experts assist clients in the end-to-end design, build and deployment of an application security program. We’re not just helping your team implement static (SAST) and/or dynamic application security testing (DAST) —our goal is to help organizations adopt programs that will enable them to effectively manage the security of their application portfolios while being nimble enough to address changes in business needs, technologies and operating environments.
Kroll experts provide engineering and security teams with the tools, processes, guidelines and confidence necessary to offer innovative products to their internal and external customers without exposing them to security vulnerabilities.
We do this by offering capabilities in the following key areas:
- Application Security Strategy and Program Development
- Application Threat Modeling
- Tooling and Automation
- Agile Pen Testing
- Security Champions Program
- Secure SDLC Review
More detailed descriptions of these services are below:
Application Security Strategy & Program Development
Objectives in the development of a Kroll AppSec program may include:
- Design application security strategy and define governance frameworks that drive implementation while remaining aligned with strategic business objectives
- Define processes, procedures and guidelines to align assessment strategies to business needs
- Measure and scale current vulnerability management posture by building efficiency in security testing and downstream remediation
- Strategize service delivery capabilities within security engineering teams to position and operate as an internal service organization
- Assist in building internal capabilities within the software development and deployment ecosystem to effectively meet desired software security goals and objectives
Application Threat Modeling
Application threat modeling is the process by which a development team analyzes how to protect an application by identifying and mitigating potential design and/or implementation weaknesses. By identifying potential weaknesses in a system, the development team can pinpoint design and implementation issues that require mitigation more efficiently.
We believe that organizations have an obligation to understand the risks they face. Without an effective program, an organization cannot effectively allocate the resources available to maximize its protection.
The Kroll team has created a framework that enables developers to perform application threat modeling with the help of a full suite of templates, standards, common vulnerabilities, security controls and process documentation. By also utilizing a comprehensive range of tooling, development teams benefit from reliable vulnerability coverage and from knowing that threats have been mitigated.
Learn More About Kroll’s Application Threat Modeling Capabilities
AppSec Tooling and Automation
Kroll works with you to create custom security automation and integration solutions for greater security of your continuous integration and continuous delivery (CI/CD) pipelines. We help you integrate and onboard SAST, SCA, IaC and DAST into your CI/CD deployments, so you can find and address security vulnerabilities sooner.
Kroll’s application security experts have both the deep technical backgrounds and integration experience to help clients secure software in various states from pre-deployment (non-running) to post-deployment (running state).
Security Champions Program
A security champions program is fundamental to the overall success of a modern and mature AppSec program, as it fosters an organization-wide security culture and embeds a security conscience within the development team. Kroll’s team of experts design and implement security champion programs with the goal of helping to scale your broader AppSec program to align with company goals.
We assist with each step in establishing your security champions program, including program management, establishing a community and network, security champion recruitment, development, support, as well as development and maintenance of a central knowledge base. We also help in providing training through brown bag meetings and table-top walk-through sessions.
Agile Penetration Testing
Agile pen testing is a systematic way to visualize and remediate possible risks in an application within its existing deployment lifecycle. In the same way that features are added or updated constantly throughout a product launch, continuous security assessments ensure the security of those new features are being verified on an ongoing basis.
Agile software development programs are common among app development teams, but penetration testing largely remains an activity performed apart from the product release schedule. Our agile pen testing approach is designed to be seamlessly incorporated into your software development lifecycle to reduce the amount of time between coding tweaks and security assessments, ensuring that code does not go live with unidentified risks.
Kroll’s deep expertise in program planning and onboarding with teams largely eliminates undue distractions to current development processes. In addition, our dedicated program team maintains sharp focus on instilling institutional knowledge by providing continuity and support for making security-forward technical decisions.
Our Secure SDLC Approach
Kroll’s secure SDLC review adapts two industry-recognized frameworks, the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218, also known as Security Software Development Framework (SSDF). Kroll’s review provides you with complete view of your software and application security capabilities, identifies gaps, and uncover opportunities for improvement to both capabilities and overall program maturity to help:
- Prevent threats, vulnerabilities, and weaknesses early in the SDLC
- Detect and identify vulnerabilities and weaknesses early and throughout the SDLC
- Proactively and continuously detect and monitor for threats and vulnerabilities post-release and post-deployment
- Protect runtime environments from active threats
Key Benefits
- Identify and Address Gaps
We pinpoint where your SDLC could be more aligned with best practices. - Comprehensive Coverage
We thoroughly examine your SDLC and current security capabilities against your adopted technologies and coverage requirements. - Depth
We explore how your current tools are implemented and how well they are adopted. We match the primary and secondary purposes of the tools against your needs to find opportunities to maximize their value. - Resolve Adoption Challenges
We identify adoption issues and provide insights into the likely root cause and how to increase adoption.
Application Security Services and Secure SDLC Reviews Can be Part of a Cyber Risk Retainer
All our application security services can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer, along with a variety of services like penetration testing, red team and tabletop exercises. With the retainer, in addition to packaging all solutions under a flexible package, clients gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.
Why Kroll?
- Our team conducts more than 100,000 hours of cyber security assessments every year and carries well over 100 security certifications encompassing offensive security, cloud, penetration testing, mobile and web testing.
- Kroll handles over 3,000 incident response cases worldwide every year, enabling us to leverage the latest frontline threat intelligence and adversary mindset in every engagement.
- Proprietary testing, digital forensics, parsing and assessment tooling is developed at a rapid pace by Kroll experts who understand the implications of DevSecOps at a practical, not theoretical level.
- As former CISOs and current vCISOs, our experts operate nimbly in intersection of business, strategy and security and can speak the language of board members as well as that of engineers.
- With a team dedicated to cyber insurance carrier and broker relationships, Kroll understands underwriting requirements and can help maximize the effectiveness of your cyber coverage.
Who We Are
Kroll’s solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions related to risk, governance and growth.
Our team serves clients in 140 countries across six continents, spanning nearly every industry and sector. To help our clients stay ahead of today’s complex demands, we developed AppSec services that enable faster, smarter and more sustainable business decisions.
Our goal is to help companies make application security a strategic initiative that considers the current threat landscape, changes in software development and customer demand for products that can be trusted.
Frequently Asked Questions
Optimized Third-Party Cyber Risk Management Programs
Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.
Third Party Cyber Audits and Reviews
Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.
CFIUS Compliance and Review
Helping organizations manage CFIUS, Team Telecom and FOCI requirements.
Incident Response Tabletop Exercises
Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.
Explore Insights
Cyber
Cyber
KAPE Quarterly Update - Q4 2023
February 14, 2024
by Andrew Rathbun, Eric Zimmerman
Cyber
Data Breach Outlook: Finance Surpasses Healthcare as Most Breached Industry in 2023
February 7, 2024
by David White
Threat Intelligence
CVE-2024-0204: Authentication Bypass Vulnerability in Fortra GoAnywhere MFT
January 25, 2024
by George Glass
Threat Intelligence
Inside the SYSTEMBC Command-and-Control Server
January 19, 2024
by Dave Truman
Events
Cyber
Cyber
Kroll at RSA Conference 2024
May 6 - 9, 2024|Conference
Join Kroll experts at the RSA Conference in San Francisco May 6-9, 2024. Stop by booth 2239 in the South Expo Hall to meet our team.
Threat Intelligence
Q1 2024 Cyber Threat Landscape Virtual Briefing
May 29, 2024|Online
Join the Q1 2024 Cyber Threat Landscape Virtual Briefing as Kroll’s cyber threat analysts outline notable trends and insights from our incident response intelligence.
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.