It doesn’t matter what stage your application is in – from design/architecture to deployment; or what type of application it is – Web, Cloud, Mobile, IoT, Embedded or even mainframe. Our application security consulting services look for vulnerabilities and flaws in your applications and software development practices and always provide a remediation plan to ensure all problems can be fixed.
Jedi security risk assessments help you identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that will decrease your risk of a breach.
Invented in 1999 and adopted by Microsoft in 2002, STRIDE is currently the most mature threat-modeling method. STRIDE has evolved over time to include new threat-specific tables and the variants STRIDE-per-Element and STRIDE-per-Interaction.
STRIDE evaluates the system detail design. It models the in-place system. By building data-flow diagrams (DFDs), STRIDE is used to identify system entities, events, and the boundaries of the system. STRIDE applies a general set of known threats based on its name, which is a mnemonic, as shown in the following table:
The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat-modeling framework developed in 2012. It contains seven stages, each with multiple activities.
PASTA aims to bring business objectives and technical requirements together. It uses a variety of design and elicitation tools in different stages. This method elevates the threat-modeling process to a strategic level by involving key decision makers and requiring security input from operations, governance, architecture, and development. Widely regarded as a risk-centric framework, PASTA employs an attacker-centric perspective to produce an asset-centric output in the form of threat enumeration and scoring.
Trike was created as a security audit framework that uses threat modeling as a technique. It looks at threat modeling from a risk-management and defensive perspective.
As with many other methods, Trike starts with defining a system. Our analyst builds a requirement model by enumerating and understanding the system’s actors, assets, intended actions, and rules. This step creates an actor-asset-action matrix in which the columns represent assets and the rows represent actors.
Each cell of the matrix is divided into four parts, one for each action of CRUD (creating, reading, updating, and deleting). In these cells, our analyst assigns one of three values: allowed action, disallowed action, or action with rules. A rule tree is attached to each cell.
After defining requirements, a data flow diagram (DFD) is built. Each element is mapped to a selection of actors and assets. Iterating through the DFD, the analyst identifies threats, which fall into one of two categories: elevations of privilege or denials of service. Each discovered threat becomes a root node in an attack tree.
To assess the risk of attacks that may affect assets through CRUD, Trike uses a five-point scale for each action, based on its probability. Actors are rated on five-point scales for the risks they are assumed to present (lower number = higher risk) to the asset. Also, actors are evaluated on a three-dimensional scale (always, sometimes, never) for each action they may perform on each asset.
The Visual, Agile, and Simple Threat (VAST) Modeling method is based on threat programs, an automated threat-modeling platform. Its scalability and usability allow it to be adopted in large organizations throughout the entire infrastructure to produce actionable and reliable results for different stakeholders.
Recognizing differences in operations and concerns among development and infrastructure teams, VAST requires creating two types of models: application threat models and operational threat models. Application threat models use process-flow diagrams, representing the architectural point of view. Operational threat models are created from an attacker point of view based on DFDs. This approach allows for the integration of VAST into the organization’s development and DevOps lifecycles
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method is a risk-based strategic assessment and planning method for cybersecurity. It was created by the CERT Division of the SEI in 2003 and refined in 2005. OCTAVE focuses on assessing organizational risks and does not address technological risks. Its main aspects are operational risk, security practices, and technology.
OCTAVE has three phases.
Jedi Security Architecture and Configuration review can help identify gaps in your security framework across Network Security, Identity and Access Management, Infrastructure Security, Device Mis-configurations, Application Security, Data Security, Security Operations Architecture and Cloud Security. A detailed assessment of your security architecture, from policies to technical controls ensures that hidden risks that threat actors are likely to exploit are identified and mitigated helping you protect your business from the evolving threat landscape and to stay compliant with regulatory requirements.
Assessment of Software Development Life Cycle (SDLC), Integration of Application Security Architecture, Web Application Firewalls, Encryption, Secure Communications between Applications and Databases and Endpoints, Application Cryptographic Solutions, Application Controls Against Existing Threats and Vulnerabilities and Application Security Approaches for all System Components (mobile, web, and thick client applications; proxy, application, and database services)
Our Application Security experts combines extensive human knowledge and deep tool integration with manual testing methods to protect you against vulnerabilities automated tools cannot find alone.
Application Attack Surface penetration testing replicates the attack methods of an opportunistic hacker by confirming and exploiting security weaknesses found during an automated vulnerability assessment. As a time-limited test, it’s a perfect fit for those whose security strategy demands protection against opportunistic attacks.
The Authenticated application penetration testing package simulates a hacker who has phished valid user credentials or infiltrated your perimeter defenses. This longer time-limited test expands on the Attack Surface test and is ideal for organizations who need a detailed test to model an attack by a more determined cyber-criminal.
SAST is also known as white-box testing, meaning it tests the internal structures or workings of an application, as opposed to its functionality. It operates at the same level as the source code in order to detect vulnerabilities. Since the SAST analysis is conducted before code compilation and without executing it, this tool can be applied early on in the software development life cycle (SDLC). Most SAST tools support the major web languages: PHP, Java, and .Net, and some form of C, C++, or C#.
The Jedi Security advantages of SAST include:
DAST is a black-box testing method, meaning it is performed from the outside in. The principle revolves around introducing faults to test code paths on an application. For instance, it can use threat data feeds to detect malicious activity. DAST doesn’t require source code or binaries since it analyzes by executing the application.
Jedi Security DAST benefits are:
IAST uses software instrumentation to assess how an application performs and detect vulnerabilities. IAST has an “agent-like” approach, meaning agents and sensors are run to continually analyze the application workings during automated testing, manual testing, or a mix of the two.
The process and feedback are done in real time in your integrated development environment (IDE), continuous integration (CI) environment, or quality assurance, or while in production. Jedi sensors have access to:
RASP is capable of inspecting application behavior, as well as the surrounding context. It captures all requests to ensure they are secure and then handles request validation inside the application. RASP can raise an alarm in diagnostic mode and prevent an attack in protection mode, which is done by either stopping the execution of a certain operation or terminating the session.
Jedi RASP technology possesses the following advantages:
Open Source Security, commonly referred to as Software Composition Analysis (SCA), is a methodology to provide users better visibility into the open source inventory of their applications. This is done by examining components via binary fingerprints, utilizing professionally curated and proprietary research, matching accurate scans against that proprietary intelligence, as well as proving developers this intelligence directly inside their favorite tools.
It’s no secret… developers use open source software.
Still, there are questions around how it should be managed – and for good reason.
Here’s why:
Need a secure SDLC design strategy, threat modeling services, vulnerability management, penetration testing, integration/automation, eLearning and/or program management. Jedi Security can help accelerate the maturity of your application security program.
Our Jedi AIM Platform is a way to visualize your application architecture and all of its surfaces and dependencies is Application Inventory Management (AIM). This powerful tool provides insight and clarity around program structure and data flow. A clear understanding of these details is important for prompt, smooth application maintenance, updates, and upgrades with minimal downtime.
As DevSecOps grows in popularity, we’re seeing the rise of other trends aimed at bridging the gap between development, operations, and security teams. One popular concept now is the creation of a Security Champions program.
The program is designed to improve security within companies by awarding developers a “Security Champion” title. These individuals then act as a conduit between security and development teams to promote communication, knowledge sharing, and collaboration.
Together, they work with their respective teams to champion security concepts, celebrate successes, and promote security hygiene throughout the build process for developers
Bug bounty programs are designed to identify the vulnerabilities that exist in an organization’s systems today. However, if an organization and its developers don’t learn from their mistakes, then bug bounties can add up quickly, as they are likely to keep creating the same vulnerabilities.
The course will focus on common security threats to web applications and what are countermeasures strategies available. The primary aim of the course is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities and methodology to protect against such vulnerabilities.
The course draws upon various published research and best practices in this area, like OWASP top 10 web application attacks, CERT, Microsoft’s writing secure code, Web Application Security Consortium, CVE database published by MITRE, etc.
Course Outline:
Application security standards are established by leading industry research and standards bodies to help organizations identify and remove application security vulnerabilities in complex software systems. We help define and publish application standards and policies for your organization using:
Industry-Proven Application Security Expertise
The content provided is for informational purposes only. Links to third party sites are provided for your convenience and do not constitute an endorsement. These sites may not have the same privacy, security or accessibility standards.
© 2021 – 2022. Jedi Security Inc. All Rights Reserved.
We understand that risk mitigation extends beyond periodic assessments, code remediation, and training. Jedi Security has the capabilities to assist your team in implementing strategies, technology, and policies that align with your organization and development methodologies.