Why is this needed?
Far too often security has been addressed far too late within a project lifecycle, a final hurdle to overcome prior to ‘go live’. This can be problematic if issues are identified. Remediation will certainly be more costly than identification earlier in the project. Time constraints may mean that remediation becomes an unpalatable proposition, leading to a stance of risk acceptance.
Remediation of issues at design or build stages will be quicker and cheaper than going back post implementation. Addressing issues after an implementation will often incur additional analysis, testing, and design to resolve.
Isn’t ‘shift left’ about DevOps?
Shift left is a change in paradigm to engage security earlier in the delivery or project process.
How Nuvolo Sicuro Approach Project and Delivery Security Assurance
Nuvolo Sicuro’s approach is to work with projects and delivery initiatives from early on in the lifecycle. Through continuous assessment and direct feedback we can inform the security perspective across a number of areas. Collaboration is key, having an honest and open dialogue between security and the project is fundamental and achieving this gives business stakeholders and decision makers early visibility of risks and adequate time to determine the appropriate risk treatment.
Our approach is agnostic of delivery methodology and can work in an agile or waterfall framework. The areas we assess will be proportionate to the project or delivery being undertaken. Not all areas require assurance, a small code change would not require threat modelling whereas a large delivery of a new system cannot be adequatley assured with only a supplier due dilligence.
- Initial assessment and scoping
- Threat Modelling
- Contractual review / Supplier Due Diligence
- High level design review
- Detailed system design review
- Assurance testing