How Outpost24 Secures the SDLC

Information technology is the core of all sectors of industry and business in the modern era. As organizations move forward towards greater efficiency, productivity, and availability using advanced software and cloud-based solutions. During this transition, a common concern has emerged: The threat of compromise for web applications and DevOps.

In acknowledging the risks presented by malicious attackers and exploits while simultaneously improving the lifecycle of technology platforms, many organizations have begun to focus on what is known as the Software Development Life Cycle (SDLC).

Web application security starts with full stack security

Implementing a Software Development Life Cycle which is robust and secure requires a great deal of investment, time, and effort. As technologies have improved and cloud offerings become more readily available, the attack surface for many organizations has changed drastically from the old formulas of bygone eras. However, the driving concepts remain fundamentally the same; servers, databases, user systems, and many other types of machines are used for a multitude of tasks within any organization and the SDLC is comprised of the same parts. We call this the full stack. The difference is that today, where a server may have been hosted in a local data center they may now be hosted by many external entities, sometimes even across the globe.

Malicious attackers have kept up with this and are even in the position to leverage these new technologies to take advantage of their targets. They have always viewed the full stack as fundamental to their activities; when you cannot break past a firewall, try to break the web server. When that fails, move on to their users. When that fails, try third party providers. If an attacker genuinely wants in, every avenue becomes a potential door to unlock. They will attempt to compromise every aspect of the full stack.

Outpost24 has been in the business of penetration testing for decades, and through our experience it has become clear that the best protection comes from approaching the attack surface by acknowledging how the attackers think. This means ensuring complete coverage of the full technology stack through an integrated approach. Securing the SDLC is a major component of this so the Outpost24 solutions are designed to approach DevOps security in this comprehensive approach.

The Secure SDLC and how our tools support it

1. Secure code from the start
2. Automate application vulnerability assessment
3. Detect vulnerabilities in the critical API layer
4. Simplify security for cloud DevOps
5. Protect critical web applications
6. Improve application security controls

1. Secure Code from the Start

Developers as First Line of Defense

In partnership with Secure Code Warrior, Outpost24 enables users in any part of the organization to improve security hygiene and practices across the many vectors they interact with daily. Using game-ified security awareness training, everyone in the organization learns best practices in soft and physical security through everyday interactions. Developers are given a deeper insight into the role they play in securing the apps they code through visual examples of real-time vulnerability exploits in web and localized coding samples, shifting security hygiene to the start of the SLDC.

Secure Code Warrior includes:

• SaaS solution for easy access and setup
• Customized course management for each part of the organization
• Dynamic in-browser vulnerability proofs and lessons on coding best practices
• Support for multiple programming languages
• Scoreboards to motivate users in friendly competition to complete their assignments

Powered by DefenseCode ThunderScan, our Static Application Security Testing (SAST) solution works hand in hand with your DevOps workflow ensuring security risks in application source code are identified early in the SDLC. Enabling your developers to better understand security issues in code and ensure application source code compliance standards are met without the need for security domain knowledge.
 
Our SAST solution includes:

• Full DevOps integration with easy REST API and SaaS solution
• Support for all major development languages and frameworks
• Dependency check component to detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries
• Easily check compliance requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10, HIPPA, HITRUST or NIST
• Fast and accurate analysis and precise results with less than 5% false positive rate

2. Automate Application Vulnerability Assessments

AppSec Scale, our Dynamic Application Security Testing (DAST) solution, provides critical assessments at scale during the SDLC rapidly and efficiently with quick-and-easy configuration paired with powerful automatic assessments informed by our industry-leading scanning technology. With an accessible REST API, Selenium integration, and automated reporting, AppSec Scale is designed to deliver the high-quality details needed to enable each iteration of the SDLC to confidently address issues before they are released to the next phase.

AppSec Scale includes:

• SaaS or on-premises deployment scenarios in multiple environments, including major Cloud providers
• Unlimited & continuous assessments with flexibility to fit any SDLC
• Prioritization of risks combined with intelligent resolutions designed to optimize return on time investment
• Fully-fledged REST API with unlimited use built to fit seamlessly into any SDLC
• Best for web apps in production or preproduction environments, where continuous, accurate, automated web application scanning is required during the SDLC and beyond.

3. Detect vulnerabilities in the critical API layer

The API layer is the lifeblood of any application enabling the extraction and sharing of data in an accessible way. A poorly secured API can expose a large attack surface for any system and data connecting to it, and API abuses frequently result in massive data breaches for enterprises.

Our API testing tool APIsec.ai performs security checks against critical data access controls (including RBAC and ABAC) on a continuous basis, whilst plugging into CI/CD workflows through automation to shorten test cycles and ensure fast release:

• Automated scanning of any API with OpenAPI/Swagger standardized documentation
• Highly effective version control, history, notifications, and reporting options
• Hundreds of "Playbooks" to automatically detect the appropriate tests for all API endpoints
• Detailed remediation and guidance to address all vulnerabilities

4. Simplify security for cloud DevOps

CloudSec Inspect, our cloud assessment solution and container security offering, gives a real-time window into the ongoing security hygiene of the multi-cloud footprints of businesses on the bleeding edge of technology adoption. AWS, Azure, and GCP each offer unique capabilities and challenges for security professionals and DevOps teams alike, and managing the risks associated has proven challenging for many organizations with even just one of these providers. CloudSec Inspect brings actionable, prioritized results from each of these assets into a single pane of glass, enabling organizations to easily secure their most critical assets and stay confident in their cloud security posture.

CloudSec Inspect includes:

• Real-time, API-driven benchmarking of Cloud and Container configurations
• Best in class remediation guidance for industry standards in Cloud security best practices
• Dynamic data visualization and reporting options delivered through a single pane of glass

5. Protect Critical Web Applications

SWAT, the premium AppSec solution from Outpost24, combines the best of tools, processes, and human intelligence to bring our customers undisputed confidence over the security of their applications. Leveraging the long-held experience and proprietary tools of Outpost24 penetration testers, SWAT delivers best-in-class vulnerability exposure and business logic assessments directly to the SDLC to secure every build from development through to production. Offered through our “single pane of glass” web portal, developers and security officers alike can access detailed recreation flows, remediation advice, verification requests, and open discussion with the penetration testers in an instant. Throughout the license duration, our pen testers intelligently group and contextualize their findings to empower your SDLC with confidence in the overall security posture and resilience.

AppSec SWAT includes:

• Real-time vulnerability assessments executed by experienced personnel
• Delivery through SaaS platform for easy access and administration
• Automated reports and alerts, and one-click requests for verification of findings
• Business logic and contextual vulnerability testing to find the most surprising and unusual risks
• Authorization and authentication issue identification, both horizontally and vertically
• Full coverage of the OWASP testing guide and more
• Best for business-critical apps that require deep analysis of vulnerabilities continuously.

6. Improve application security controls

Snapshot, akin to SWAT, offers in-depth AppSec security testing with the same high-quality results in a shorter window of time. Instead of a twelve-month duration the Snapshot license is limited to 30 days. Like with the SWAT service, our experienced penetration testers find and reveal issues in business logic and vulnerability exposures in your critical applications within this shorter window of time, allowing budgets more flexibility and the option to dynamically assign workloads towards different parts of the organization. In addition, the Snapshot service is designed to enable agile development teams to execute in-depth examinations with repeatable verification testing quickly and efficiently by avoiding contracting and legal barriers through simplified licensing and enabling Snapshot requests to be submitted through our “single pane of glass”.

AppSec Snapshot includes:

• Easy-to-do engagement requests submitted online and commenced within days
• Real-time vulnerability assessments executed by experienced personnel
• Delivery through SaaS platform for easy access and administration
• All the same features as SWAT delivered within a shortened timeframe

Assure, the “younger sibling” of Snapshot, offers quickfire AppSec security testing with similar high-quality results in a shortened window of time. The differentiator is it’s in-depth, since not all apps are equal. At Outpost24 we recognize that while all applications may pose external risk for the client’s organization, businesses looking to prioritize their risks and budget accordingly still need options to cover exposure that is of less overall significance in order to feel assured in their security without breaking the bank. This is where Assure comes into play. By enabling our customers to execute Assure penetration tests rapidly at an efficient price point, they can find confidence in their risk exposure on a multitude of applications while remaining agile and ensuring they are compliant with the latest web security requirements.

AppSec Assure includes:

• Easy-to-do engagement requests submitted online and commenced within days
• 3-day testing to find the most critical and common vulnerabilities, free of false positives
• 30 days of verification requests to follow up and ensure resolutions are effective
• Delivery through SaaS platform for easy access and administration

Shifting Left

The SDLC structure enforces the methods by which developers incorporate new features and code into their applications, and with security being one of many core components there is always the risk that things will be missed. Good practice in security hygiene therefore attempts to catch flaws earlier on in the process without losing sight in production. That’s why Outpost24 has built a portfolio of security offerings with the full stack model in mind to enable our customers to “shift left” and catch issues earlier in the SDLC, ensuring each cog is oiled and every screw tightened.

By incorporating our solutions and embracing the “shift left” methodology into their SDLC, security teams and DevOps realize high confidence in the resilience and protection of their production applications, thus shrinking the attack surface and denying would-be hackers from exploiting them. Through the combination of easy-to-manage tools, RESTful APIs, and cross-departmental solutions, Outpost24 offers a solution portfolio making an excellent strategic partner for shifting left and securing your full stack.

*All our application testing solutions cover OWASP top 10, CWE, WASC and CVE findings