Security Risk Advisor

Model, Measure, Respond and Monitor
Application Security Risk

Managing Security Risk Throughout the SDLC

Identifying Return On Security Investment against each Security Control

Overview

Reduce Overall Costs Associated with Poor Security

• Understanding the risks during design time
• Dramatically reduce the cost of manual threat modeling
• Defining the right security requirements at design time
• Providing developers and testers with actionable and specific advice
• Target security training at specific problem areas

Improve Portfolio Wide Security

• Managing application risk across the entire portfolio
• Identify the highest risks to the organisation in real time
• Identify development teams and/or projects that are struggling to implement security correctly

Operational Benefits

For Architects and Developers:

• View a list of security requirements to implement based on input of your technical architecture, planned features and security context of the application
• View the security risk associated with each control
• Provide code examples for each control
• Allow them to reject a proposed control and push back to security team
• Track control progress
• Integrate with bug tracker to avoid duplication 

For Testers and Developers:

• Describe how to test a control
• Track the test result
• Automatically import test results from Junit, Jbehave and others
• Import SAST and DAST test results from ThreadFix

For the Security Managers:

• Produce an application risk model in 5 minutes
• Suggest recommended controls for every risk
• Manage risk response: Accept, Mitigate, Expose
• Set expiry dates on controls
• Provide advice:
  • Which controls provide highest ROI
  • Reminders when controls are about to expire
• Provide analytics:
  • Devs claim to have implemented a control, but the tests say otherwise
  • Which types of vulnerabilities are most common (directs training)
  • Show overview of risk for entire app portfolio