“CODE”: SMART AUDIT (SAST, DAST), CI/CD, RISK & THREAT MODELLING

Chaleit’s “Code” capability is embedded in global organisations from Cloud Service Providers, manufacturing, digital / software houses, energy, transport, logistics and global shipping organisations.

Our capability in Code is extensive and challenges the norm. It also sits on a spectrum of approaches from traditional Pen Testing approaches of Code Review (SAST and DAST) through to “shifting left” (morphing our approach gradually from security expert to experienced developer with security skills) and ultimately being an integral part of the CI/CD and SDLC.

Code Review Tools
These present a first filter and quality gate to find bugs as they are happening and are generally noisy, full of false positives, and extremely hard to tune. Chaleit works as an embedded team to help you “drive” effective usage of your own security tooling in the context of your CI/CD, toolchain and SDLC process. It involves what we know generally as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing).

SAST
By using your tooling above on a per project/code stack basis or having our teams use scripted or manual review techniques of key code repositories and libraries.

DAST
We combine both Static assessments and live sites to create “Dynamic” testing. The benefit is that we can see live the effects of parameters being passed to databases or web service calls.

All three techniques have their own degree of value but all benefit from the different perspectives of an expert security testing team driving the process.

The degree of interactivity you choose between our teams is very much dependent on your objectives; however the feedback loop is essential for reviews. We take great pride in sharing — through your report or interactive Q&A/feedback sessions — not only what is found in such reviews but also sharing with your development team the “how” and “why” bugs and findings came to be. We can even run a session for your developers to contextualise our findings and support you in your communications internally.

Software development practices recognise more and more that the best and most effective way of risk reduction and ensuring security best practice is to bake it in during the Software Development Life Cycle (SDLC).

Good security design does not mean compromise to functionality, complexity and the creation of problems. Baking security into the SDLC and being part of the CI/CD can be viewed as simply another measure of quality and protection by design. This is why we designed Chaleit’s DevSecOps Engineering “As-A-Service” programme.

Embedding technical expertise is a clear solution. Working together throughout the SDLC lifecycle drives sound application security design. The capability is highly bespoke and customised to each client with a number of implementation options all designed to add value, transfer knowledge and to drive security quality:

• Advisory in the design and scoping phase: getting the design right, at the outset
• Integrating as core part of the team as a subject matter expert for advice, solutions and knowledge.
• Security code review and dynamic testing: reviewing code for bugs as its being created and continual testing as a parallel activity stream.

Ultimately Chaleit’s “Code” capability integrates with your DevOps to drive or create DevSecOps accountability in your development life-cycle and to simplify good security practice with your software teams.

DevSecOps is compatible with normal Agile processes and our goal is to aid decision making and take action at the same rate and in conjunction with your SDLC.