Secure by design

Improving security practices in the design phase of software is the most cost-effective way of increasing application security. Many issues can be outright prevented from being developed in the first place.

Sadly, security efforts are seldom targeted at this phase. Often due to a lack of experience with the practices involved. Learn more about them on this page and how we can help.

Threat modeling

Threat modeling is, in a nutshell, thinking about the security of new features before they are developed, and this in a structured way. The nature of threat modeling makes it one of the most cost-effective ways to improve security as it reduces the amount of development work, eliminating bugs and the need to refactor bad code or architecture.

Threat modeling is useful for companies of all sizes and should be an integral part of your development cycle. We can train your employees or provide a security expert to take part in your threat modeling exercises.

Our way of working

Threat modeling should be an integral part of your Software Development Lifecycle. It is not something you do once and forget, but continually practice during development.

Everybody can help during threat modeling. In fact, having diverse subject matter experts with varied viewpoints results in better threat modeling results. That's why, besides a security expert to lead the exercise, we also include developers, product owners, technical architects, testers and devops specialists in threat modeling exercises.

The threat modeling exercise will result in a list of possible threats to the application. Some may be small and acceptable or easy to mitigate, others might require a redesign of (parts of) the architecture. What they have in common is that the solutions can be implemented before the bad code was developed and put in production. Fixing a flawed architecture is magnitudes easier when not yet released and in use.

The results of threat modeling exercises are documented and used as a starting point when new features are developed. Different parts of the architecture are often interlinked or have impact on each other.

Architecture assessment

Architecture assessment takes basic security mechanisms and looks to see if they are applied correctly in your architecture and design. Although a close cousin to threat modeling, architecture assessment tackles the problem from a different angle and can find other issues than threat modeling.

If you need verification that your application's authentication, authorization, data protection, key management or other security mechanism is designed correctly then you need an architecture assessment.

Our way of working

An architecture assessment starts from the design and architecture documentation already present in the organization. This is then augmented and verified by talking to relevant team members.

Depending on the scope of the assignment we will investigate the correct design and implementation of basic security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management.

The results of the assessment will be presented in a report with an overview of the current security of the architecture and possible improvements.

Security awareness training

Training employees for security awareness can prevent many security issues. Promoting a security culture will ensure employees keep security in mind when doing their daily work.

Depending on your unique challenges we will help you develop a security training program. This can mean developing material for in-house training or outsourcing training to a specialized organization. We can also advice on how to promote a culture of security throughout your organization.

Our way of working

We start by asking the question: \"What security training is required for this company?\" This will result in a security training program that tells exactly what security skills employees are required to have and how we will train them. This can be in-house, external or a combination of both.

In-house training has the advantage that it can be highly customized for your business. This does require a significant effort to create training material and keep it up to date. We can assist in creating this material.

External training, although not specifically customized for the business, can be very cost-effective in providing a good, general understanding of security practices. We provide some of these trainings ourselves but will also refer you to other more specialized partners.

While individual training is good and important, promoting a culture of security is necessary to make employees aware of the importance of application security for the business. We can help you implement a program to promote this culture in your business.
Our mission

Secuma helps technology companies develop more secure applications. We encourage and guide the integration of security best practices in the entire Software Development Lifecycle, improving the security of your applications and stopping issues from becoming incidents.

Company

infosecuma.be
Sels Software & Security BV
Hoogputstraat 22B
3690 Zutendaal
Belgium
BE0748911858

Thank you for visting Secuma |
Pictures courtesy of Unsplash