Securing the big picture
You can pentest an application and fix every finding — and still get breached because the build pipeline was compromised or a dependency auto-update pulled in a malicious package. Security doesn’t stop at the application code.
To truly improve the security posture of a project or company, both the application and architecture need to be addressed — but so does the Software Development Process (SDLC) itself. It needs security controls on process and functional level:
Tools are nice, but what about their results?
I see this pattern regularly: a team integrates SAST and SCA scanners into their CI/CD pipeline, gets overwhelmed by the initial flood of findings, and then either ignores most of them or turns the scanners off entirely. The tooling was fine. The process around it wasn’t.
After enhancing build pipelines with DevSecOps elements, process-related questions like finding consolidation, false positive management, baseline handling, and many more are what determines whether security scanning actually sticks as part of the development workflow.
Challenges of agile organizations
Agile teams have the possibility to schedule dedicated security sprints and work on the most pressing security issues, which requires also management and product owners to support this effort. That’s where awareness training usually helps to get all stakeholders to buy into the security culture and create the space for targeted non-functional improvements. This also includes making progress visible across a company via dashboards and detect trends to guide improvements towards the areas with the best leverage.
Distributed development teams
For geographically distributed development teams (including off- and near-shore) and especially in today’s home-office based team splits, it’s also crucial to secure the paths where code is created and how it flows into production, avoiding code or base-image backdooring by hacked build pipelines.
Cloud & containers
Even little and sometimes leftover things like missing automated checks to avoid accidental check-in of secrets or accidental unprotected cloud storage buckets often make the cut for hackers. Correct and secure management of secrets (like keys, passphrases, tokens, certificates, etc.) used in production systems not only includes technical elements like vaults. Aside from more complex technical aspects, even organizational aspects need to be addressed, especially when cloud environments and container platforms are used.
Forensic readiness
What happens when a breach actually occurs?
That answer should exist before the breach does, not in the middle of one. Your organization needs to assess its DFIR-Readiness (Digital Forensics & Incident Response): Can you quickly identify and isolate compromised systems while preserving evidence? Do you have the capability to analyze them forensically, gather Indicators of Compromise (IoC), rotate compromised keys and certificates? And can you determine whether data was exfiltrated, including through less obvious channels like DNS-based out-of-band exfiltration?
Review goal
As you see from the examples above, the true security posture of an organization goes way beyond technical things…
It also includes humans and processes as well as their interplay as part of a strong security strategy. That’s exactly what this review is about: Finding spots where to improve and providing guidance as part of a roadmap.
As every organization is unique, I usually create an individual audit catalog in close collaboration with the security team of the customer corporation. This acts as the foundation of a streamlined project review and improvement process to determine levels (or belts), build a scorecard scheme, and roadmap steps to improve on and maintain a high security level. As most process reviews are quite individual to your company and current needs: Let’s talk
This service also supports technical security requirements commonly referenced in modern cybersecurity regulations.