Risk mitigation extends beyond periodic assessments, training, and code remediation. nVisium is here to assist your team in continuously implementing security strategies, technology, and policies that align with your organization’s goals and development methodologies. nVsium’s Continuous Security Model is based on the goal of identifying and remediating security vulnerabilities in rapid cycles. This provides value to the security and development teams by increasing the number of identified vulnerabilities while simultaneously decreasing the time to remediate.
A manual security assessment will target key points within the application. Code that has a direct impact on access control, authorization, database queries, and business logic will be reviewed for security weaknesses. Assessments will be performed in a hybrid fashion (code and dynamic review) when code is available. This service will be performed on a monthly basis or when there is a need for testing, such as an upcoming release.
Automated dynamic and static assessments will be used to augment the Manual Security Assessment and allow for complete coverage of client’s code base under review. After configuring and running the tool, nVisium will review the findings generated by the tool for validity and accuracy.
As part of the validation process for both the manual and automated reviews, nVisium will create Proof-of-Concept (PoC) attacks and test those attacks against a locally running non-production version of the site. This will help nVisium assess the actual risk level of a security finding and ensure that only legitimate issues are reported at the appropriate risk level.
Our code remediation service was designed to act as an extension of your development team to ensure you don't end up with a pile of unresolved bugs and security debt. We can augment your team by following their methodology as we submit the code fixes.
This part of the process is what separates nVisium from traditional security consultancies. In addition to the aforementioned assessment efforts, nVisium will develop, test, and deliver patches for those vulnerabilities it identifies. This will reduce the time issues are open and reduce the risk they present to the organization. It will also reduce the workload for both the security and development teams.
Static code analysis is a powerful method for finding defects in raw source code; however, without proper implementation and optimization, tools are often ineffective. By understanding your environment, nVisium can help tune your scanning tool to effectively identify vulnerabilities and eliminate common false positives. Engineers can focus on remediating the true issues without being overwhelmed deciphering what is valid.
The tools used to find vulnerabilities are often solely focused on scanning the application’s files. However, when tuned for integration with the build environment, the end result is a more efficient, thorough, and actionable scan. nVisium works with our clients to ensure that the scanning tool provides the best possible results to maximize test coverage and reduce false-positives and false-negatives. This is paramount to ensure early detection and efficient remediation of security vulnerabilities.
The effective use of security tools is an important part of establishing and maintaining an application security testing program. nVisium will help the client get the most of their existing toolset by: