Aujas US

An IDG Ventures Company

Managing Risk of Privileged Access and Activity Management

Managing the risk of privileged accessThe Problem
As organizations continue to leverage IT systems to support their businesses, the requirement of managing privileged users is rapidly emerging. Privileged IDs are the in-built system accounts within applications, operating systems, and databases. Additionally, user accounts that are created for administration of systems are also privileged IDs.
These IDs have higher and generally unrestricted authority associated with them to allow efficient system maintenance. As a side effect, these IDs can also be used to make widespread changes to the business systems.

The Risk
Usually, these IDs, especially the ones that are in-built, are shared among the groups of administrators. This method of sharing highly powerful access can cause accountability concerns and non compliance with regulatory requirement, thereby significantly increasing the access risk.

Data can be stolen undetected or IT systems can be sabotaged by misusing the privileged access, since these IDs have access to systems from the backend and can bypass the control deployed for business users.

The rapidly emerging trends of cloud computing, consolidation of data centers, virtualization and hosted application services providers imply growing numbers of IT systems and privileged IDs. Any organization using significant number of IT systems like servers, network devices, desktops, or applications faces the requirement of managing privileged IDs.

Regulatory and government requirements for telecom, banking and IT verticals create an even greater need to address this requirement. Recent prominent and high profile security breaches in these verticals across the globe highlight the degree of access risk caused by inadequate privileged ID management.

What Not to Do
Limiting the privileges granted to these IDs will not mitigate the risk as it will render the useless IDs to perform its functions. Alternatively, some organizations aim to bring in accountability by assigning individual IDs to their administrators in order to eliminate sharing. This approach is helpful only for managing a small number of administrators managing few systems.

In-built IDs will still need to be shared even if administrators use their own individual IDs. To add to the complexity, some IT systems enforce a limit on the number of individual accounts that can be created to manage them. Moreover, the number of individual IDs grows multiplicatively with the increase in both the number of administrators and managed systems.

For example, an admin team of twenty managing a thousand systems can easily be dealing with more than 20,000 IDs. The cost and complexity of managing the lifecycle, enforcing password policies and access controls on so many individual IDs makes this approach suboptimal.

Mitigating the Risk
What is needed is a comprehensive and modular approach to privileged access and activity management. Privileged access and activity management is an identity management domain comprising of the same traditional building blocks of User Provisioning, Single Sign-on and Access Management, Role Management, Password Vault and SIEM tied together with robust solution design based on well thought of policies and procedures.

A good solution approach uses an iterative model to focus on each of these areas and improve them incrementally by understanding how it integrated with other building blocks. This approach allows for a modular solution which not only can solve immediate problems with least disruption and change to the existing practices, but also scale to meet the evolved requirements as the business and expectations grow.

Advertisements

July 26, 2011 Posted by | Access control, IT security, Risk management | , , , | Leave a comment

Aujas among the Most-Requested Information Risk / IT Security Firms at 2011 CIO & IT Security Forum

For Immediate Release

Jersey City, New Jersey, USA – Senior IT decision makers knew who they wanted to talk to at the May 24-26, 2011 CIO & IT Security Forum – and they wanted to talk to Aujas. The global information risk management company was among the top five most requested suppliers at the Jacksonville, FL, forum. Sameer Shelke, Aujas cofounder and Chief Operations and Technology Officer, and Karl Kispert, Vice President of Sales and Business Development, met one-on-one with close to 50 Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) who specifically requested a meeting with Aujas.

“The forum gave us the opportunity to meet with IT security executives and discuss the security issues that were keeping them up at night,” says Karl Kispert. “Phishing and application security are critical issues, and we were able to share with the execs how Aujas can help them manage risk in these areas as well as others.”

The forum, hosted by Richmond Events, is invitation-only for 100 senior IT executives with budget authority. It offers a unique experience for these individuals to get together, debate the big issues and explore collaborative opportunities. “From our perspective, the forum gave us the opportunity to meet and develop relationships with those we are most able to help,” says Kispert.

About Aujas
Aujas is a global Information Risk Management services company and an IDG Ventures funded company. It is headquartered in Bangalore, India, with its US headquarters in Jersey City, New Jersey.

Aujas consultants work with the client’s management teams to align information risk with business initiatives, so that security becomes a business driver and competitive advantage. The firm helps clients manage emerging technologies – mobile devices, social media, cloud computing – that are transforming the business environment and posing increasing security challenges.

Aujas offer global clients:
• Information Risk advisory services
• Secure Development Life-cycle services
• Identity and Access Management services
• Managed Information Risk services
• Vulnerability Management services
• Mobile, social media and cloud security services
For more information about Aujas services, contact Karl Kispert at karl.kispert@aujas.com or visit http://www.aujasus.com.

June 20, 2011 Posted by | Enterprise Security, IT security, Phishing, Risk management, Secure code development | , , , , | 1 Comment

Windows Azure: Build Secure Applications by Design

Introduction to Azure

The Windows Azure Platform is a Microsoft cloud platform offering that enables customers to deploy applications and data into the cloud. Windows Azure Platform is classified as ‘platform-as-a-service’ and is part of Microsoft’s cloud computing strategy. It provides developers with on-demand computing and storage space to host, scale and manages web applications on the Internet through Microsoft datacenters. The platform provides a cloud operating system called Windows Azure that serves as a runtime for the applications and provides a set of services that allows development, management and hosting of applications off-premises.

Windows Azure has three core components: Compute, Storage and Fabric. As the names suggest, Compute provides a computation environment with Web role and Worker role, while Storage focuses on providing scalable storage (Blobs, Tables, Queue, and Drives) for large-scale needs. Fabric makes up the physical underpinnings of the Windows Azure platform similar to the network of interconnected nodes of servers, high-speed connections, and switches.

Conceptually, the repetitive pattern of nodes and connections suggests a woven or fabric-like nature. Compute and Storage components are part of the Fabric. It also provides high-level application models for intelligently managing the complete application lifecycle, including deployment, health monitoring, upgrades, and de-activation.

Microsoft Azure Security

Microsoft Azure

Consumers are responsible for application and data security with Microsoft Azure, which is under the PAAS model

Cloud security is an evolving world with new threats and challenges. A smart customer would look at all the necessary security risks and would handle all data in cloud with clear risk mitigation plans. Security in the Azure platform is of paramount importance and Microsoft has built security controls into the platform.

Cloud computing models and the security responsibility matrix are defined in the table at right.

Microsoft’s Azure Platform falls under the PAAS model. Microsoft has implemented and provided various security features such as:

  • Identity and Access Management at all levels
  • Isolation of data through separate physical containers
  • Encryption of data in the fabric through on demand
  • Run time security Full trust versus Partial trust
  • Security libraries for security

Though Microsoft has built-in security in its architecture with App fabric and SMAPI (Service Management API), companies that move to this platform must ensure the security of their independent applications. The application developers have to use the right tools and APIs to secure and deploy the application. 

There is no “Magic Wand for Security”

Azure has ensured security at various layers within its architecture and at various VM and its Fabric engine. This security will ensure the customers that data is not leaked outside of their VM. Though Azure has security innovations to aid application development and deployment, the responsibility of securing applications is left to customer.

This means if end-customers have to build applications that are secure by design and secure by default it is in the hands of the Azure application developers and architects. Security is not static and it’s a constant threat which has to be mitigated at all levels of the application and platform. Azure provides many security API’s that could be used to protect the data and access but it’s up to the end-customer to decide what is appropriate for the kind of data that needs protection.

As the chart above explains, the PAAS model requires security SME’s with core knowledge on the platform related security, with understanding of the Windows Azure runtime trust models and the security protections and responsibilities of each cloud layer. Companies need to build complex “Gatekeeper” based design with the help of design patterns such as control access context, advisor, interceptor, and web roles patterns.

The latest addition to the foundational technologies in the .Net framework is the Windows Identity Foundation (WIF). It enables Azure developers to offload the identity and authentication logic, providing a solid development mode based on separation of concerns pattern. A simple or traditional role-based access to advanced and sophisticated access control policies can be implemented with the help of WIF.         

When it comes to cloud-based solutions, it is more important for software designers and developers to anticipate threats at design time than is the case with traditional boxed-product software deployed on servers in a corporate datacenter. Designing secure applications in Azure is about choosing the right sets and understanding the responsibilities. A traditional model of application development will result in the same vulnerable application. But with better knowledge on Azure platform, it’s possible to build more secure applications in less time and with less effort.

Developers and designers also need to understand the basics of building applications on cloud:

  • Build cloud apps, not apps in the cloud
  • Design fault tolerant systems, nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component
  • Backup application & user data
  • Distribute applications

Conclusion

Computing solutions that use Windows Azure are very compelling to companies wishing to trim capital expenditures. However, security remains an important consideration. Security architects and developers need to understand the threats to the software developed for “the cloud” and use appropriate secure design and implementation practices to counter threats in the cloud environment.

The progression from classic client-server computing, to web-enabled applications, to applications hosted in the cloud, has changed the boundaries of applications and a striving need for compliance drives security. These boundary shifts and compliance requirements makes understanding the threats to Windows Azure-based software all the more important.

May 20, 2011 Posted by | Cloud Security, identity and access management, Risk management | , , | Leave a comment

Phishers Target Social Media, Are You the Victim?

Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? – http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

April 27, 2011 Posted by | Cyber Crime, Identity Theft, Phishing, Risk management, Social Engineering | , , | Comments Off on Phishers Target Social Media, Are You the Victim?

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment

Effective Data Protection Requires More than Technology

Data protectionMore companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document ‘fingerprinting’, key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.  

IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage ‘incidents’, which usually turn out to be false positives.  In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose. 

This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually ‘scans’ the file stores for ‘important’ files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business. 

Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage.  Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.  

 The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of ‘important’ data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be ‘fingerprinted’. The policies should then be configured and applied based on the authorized movement of data.

 Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created. 

The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed.  At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved.  Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to ‘protect’ based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology. 

Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.

January 24, 2011 Posted by | Data Leak Prevention, Data Losss Prevention, Risk management | , , | Leave a comment

What Is Needed for Data Protection?

Data protectionA more holistic approach is needed for protecting data that goes beyond individual tools and addresses data at its source: the business. The principles of data governance, data classification and the DLP tool need to work as one solution to effectively protect data in an organization.

Approach

  • Develop a strategy – Start by developing an organization-wide data protection strategy
  • Set up a data classification policy and a program – Individual business processes should identify and document all forms of data, its classification and its authorized movement.
  • Create a governance program – Establish accountability, roles and responsibilities for data protection and data ownership.
  • Create and ensure awareness and training for business users – To ensure that the data protection remains a strong focus within the organization, management should ensure users are made aware of their roles and responsibilities around data protection.

The Aujas Data Protection Service helps organizations extract maximum value from their investment in security technology and solutions. We build the governance framework, data protection strategy and data protection program. Then we assist organizations with data flow analysis to identify data movement within and between processes, the forms data takes, and user awareness levels. Our data flow analysis results in effective DLP policies while the governance framework and strategy translates into continuous data protection for the organization.

To learn more about the Aujas Data Protection Service, and our complete portfolio of services, please contact Karl Kispert, our VP of Sales at karl.kispert@aujas.com or at 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, Enterprise Security, IT security, Risk management | , , , | 1 Comment

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Aujas and RSA 2011 – Come by Our Booth

Visit Aujas at RSA

Aujas is exhibiting at the upcoming RSA Conference on February 14 – 18, 2011 in San Francisco. This is an opportunity for Aujas to expand its knowledge and increase its network of industry peers and influencers. 

Please stop by booth number 343 to say hello and discuss Information Risk Management topics with Aujas co-founder Sameer Shelke and Vice President of Sales Karl Kispert.

January 24, 2011 Posted by | Enterprise Security, IT security, Risk management | , | Leave a comment

Secure Code Development Is in Your Future

Microsoft SDL Pro Network Is at the Forefront – and Aujas Is There

SDLSecure code development will become a standard in the near future, according to industry experts at Network World. As the Federal Government continues to require cyber supply chain assurance, you won’t be able to sell any technology products to the government unless you adhere to a Secure  Development Lifecycle (SDL) model. Other critical infrastructure industries such as financial services, utilities and telecommunications are adopting these requirements as well.

The Microsoft SDL is a security assurance process that combines holistic and practical approaches, and introduces security and privacy throughout all phases of the development process. Microsoft made its own SDL public as part of its commitment to protecting customers and enabling a more trusted computing experience.

Member of the Microsoft SDL Pro Network

Aujas is now a member of the Microsoft SDL Pro Network. As a Network member, we are part of a group of security consultants, training companies, and tool providers that specialize in application security.  Network members have substantial experience and expertise with the Microsoft SDL methodology and technologies.

According to David Ladd, Principal Security Program Manager at Microsoft, “We are very happy to have Aujas join the SDL Pro Network.  As an IDG company with a global presence, Aujas will help organizations around the world improve their software security process to overcome security and privacy issues.”

Adds Karl Kispert, Aujas Vice President of Sales, “Our vision is to manage risk and enhance information value for our clients. By implementing the SDL framework, we can help our clients manage their software risk, meet compliance requirements, improve software quality and enhance information value.”

The services Aujas offers as a Network member are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific capabilities include:

  • Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
  • Requirements and Design, including risk analysis, functional requirements and threat modeling
  • Implementation, including use of banned APIs, code analysis and code review
  • Verification, including fuzzing and Web application scanning
  • Release and Response, including final security review (FSR), penetration testing, and response planning and execution

Aujas’ Secure Development Life Cycle Services assists in recognizing and avoiding security pitfalls during the software development lifecycle, and also corrects security problems once they arise. It is the transformation of Software Development Lifecycle into a Secure Development Life Cycle.

Our Strategy and Planning help organizations to categorize the applications according to the risk the application presents to the business and formalize the security requirements for the same.

The Aujas Application Architecture and Design Review services check if all the security elements have been considered during the design phase and provide feedback for the architects to adjust the design for maximum security and privacy.

To find out how Aujas can help you implement Microsoft SDL, contact Karl Kispert, our VP of Sales.

January 4, 2011 Posted by | IT security, Risk management, SDL, Secure code development | , , , , | Leave a comment