Case Studies

Situation

Organization is growing rapidly through M&A. Significant prospective client initiates third-party audit. Audit mandates:

• Streamline delivery by practicing “shift-left” security with greater reliance on automation
• Define a security issue prioritization process that evaluates identified issues against the technical and business risk factors
• Utilize a software composition analysis tool to check third-party libraries for CVEs
• Implement recurring, required security training for development teams
• Empower security champions in software development teams

Approach

Layer 8 Security assigned a program manager and DevSecOps/security SME(s).

• Evaluate, select, and integrate SAST and SCA automation to identify risks
• Develop security training for all contributors to promote a security-focused culture
• Optimize vulnerability remediation workflow to reduce time and effort to address

Conclusion

Layer 8 Security guided the creation of a secure development program

• Identified existing vulnerabilities capable of service disruption or information disclosure and refined the remediation process
• SDLC policy documents updated to require security testing prioritization each sprint reducing attack surface
• Greater understanding of potential vulnerabilities, the tools used to identify, and the remediation process achieved through in-depth training sessions
• Security Champions empowered to improve the program and spread knowledge to new contributors

Key Success Factors

• Leveraged participation from the nominated Security Champions to spearhead the adoption of security testing in the SDLC
• Maintained flexibility in automation integration and reduced disruption to existing and future project timelines with customized implementation
• Included Security, Development, QA, and Project Management contributors in decision-making and training, to share ownership of new SDLC processes