Aujas US

An IDG Ventures Company

Secure Code Development Is in Your Future

Microsoft SDL Pro Network Is at the Forefront – and Aujas Is There

SDLSecure code development will become a standard in the near future, according to industry experts at Network World. As the Federal Government continues to require cyber supply chain assurance, you won’t be able to sell any technology products to the government unless you adhere to a Secure  Development Lifecycle (SDL) model. Other critical infrastructure industries such as financial services, utilities and telecommunications are adopting these requirements as well.

The Microsoft SDL is a security assurance process that combines holistic and practical approaches, and introduces security and privacy throughout all phases of the development process. Microsoft made its own SDL public as part of its commitment to protecting customers and enabling a more trusted computing experience.

Member of the Microsoft SDL Pro Network

Aujas is now a member of the Microsoft SDL Pro Network. As a Network member, we are part of a group of security consultants, training companies, and tool providers that specialize in application security.  Network members have substantial experience and expertise with the Microsoft SDL methodology and technologies.

According to David Ladd, Principal Security Program Manager at Microsoft, “We are very happy to have Aujas join the SDL Pro Network.  As an IDG company with a global presence, Aujas will help organizations around the world improve their software security process to overcome security and privacy issues.”

Adds Karl Kispert, Aujas Vice President of Sales, “Our vision is to manage risk and enhance information value for our clients. By implementing the SDL framework, we can help our clients manage their software risk, meet compliance requirements, improve software quality and enhance information value.”

The services Aujas offers as a Network member are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific capabilities include:

  • Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
  • Requirements and Design, including risk analysis, functional requirements and threat modeling
  • Implementation, including use of banned APIs, code analysis and code review
  • Verification, including fuzzing and Web application scanning
  • Release and Response, including final security review (FSR), penetration testing, and response planning and execution

Aujas’ Secure Development Life Cycle Services assists in recognizing and avoiding security pitfalls during the software development lifecycle, and also corrects security problems once they arise. It is the transformation of Software Development Lifecycle into a Secure Development Life Cycle.

Our Strategy and Planning help organizations to categorize the applications according to the risk the application presents to the business and formalize the security requirements for the same.

The Aujas Application Architecture and Design Review services check if all the security elements have been considered during the design phase and provide feedback for the architects to adjust the design for maximum security and privacy.

To find out how Aujas can help you implement Microsoft SDL, contact Karl Kispert, our VP of Sales.

Advertisements

January 4, 2011 Posted by | IT security, Risk management, SDL, Secure code development | , , , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy and security in the CloudBusiness is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

January 4, 2011 Posted by | Cloud Security, Data Leak Prevention, Risk management | , , | Leave a comment

Operating in the Cloud – Sunny with a Chance of RISK!

Cloud computing riskHere is a list of some of the most important risks of operating in the cloud today: 

  • Loss of governance
  • Data protection
  • Service provider lock-in
  • Compliance risks
  • e-Discovery and litigation support
  • Management interface compromise
  • Network management failure
  • Isolation Failure
  • Insecure/incomplete data deletion
  • Malicious insider

A risk-based approach is the only way to assess a cloud computing deployment decision.

Establish detective and preventive controls specific to each cloud deployment model:

  • SaaS – Browser patching, endpoint security, access reports
  • PaaS – Browser patching, hardening, endpoint security, access reports and vulnerability scanning
  • IaaS – VPN, configuration and patch management, host IDS/IPS, VirtSec appliance, access reports, vulnerability scanning, logging & event management

Identity management is a key area of preventive control focus for all service models.For more information on how Team Aujas is assisting clients with Security Risks in the Cloud please email me at karl.kispert@aujas.com

January 4, 2011 Posted by | Cloud Security, Data Losss Prevention, Enterprise Security, IT security | , , | Leave a comment