Application Security

Structuring Governance with Conviso Platform

The AppSec market has had a high visibility in recent years. As a consequence, we have seen the emergence of new AppSec tools and platforms that seek to bring greater control to managers.

However, we have also seen many platforms that are restructured and presented as a tool that delivers the most diverse solutions, in a generic way and without showing what basis of understanding their solutions are sustained on.

At Conviso, we don’t believe in that. We understand that tools and platforms must be built with a purpose, seeking to solve a problem and delivering the best solution within a solid and measurable knowledge structure.

In this context, we believe that seeking support in a method, or structured methodology and that its result has been tested over the course of the process is much stronger in its structure. 

With that in mind, Conviso Platform has its foundations strongly based on methodologies and processes that focus on improving the safe development process, and one of these standards is SAMM. 

ALSO READ: Conviso Platform – A complete DevSecOps platform

What is SAMM?

SAMM is a model developed by OWASP (Open Web Application Security Project) which its main objective is to increase the degree of security in applications through education, models and standards to be followed.

To understand the practices of the OWASP SAMM Framework, we are producing a series of very detailed articles on the subject, follow by clicking here.

How Governance is supported by Conviso Platform

Governance is a fundamental point within the Secure Development Process, not only in this case but, Governance is an important concept to any activity that needs efficient and effective management.

Measuring and structuring the Strategy

Software maturity can be seen as the evolution in many activities, and with different concerns. 

The goal of Conviso Platform as a management platform is to help visualize and create a plan that can help visualize improvement points within the process. We understand that without a well-defined plan, we will have great difficulties in executing our strategy and performing unstructured tasks would be a waste of time.

So, the goal of Conviso Platform is to help create an efficient and effective plan that allows the manager to achieve the software security objectives.

Thus, we can say that our DevSecOps platform acts directly to assist in this task when, through the asset registry, it makes it possible to define criticalities to each of the assets that will be managed.

When we can have the criticality identified for the assets, we have the possibility to better plan how we will act in each of the identified vulnerabilities. 

In this way, we can give the correct and necessary attention to the vulnerability without taking the time to correct a critical vulnerability in a low priority asset for the business, while an average vulnerability in a critical asset was left in the background. 

This view offered by Conviso Platform allows the manager to have proper control over their assets and how they should be viewed in the correction process.

It is still part of good Governance to ensure that the knowledge that is acquired is used within the company itself, this is possible by creating playbooks and specific documentation of the corrections made, thus generating a history that is stored on the platform for future research.  This generates for the company a knowledge that would otherwise be lost.

Prioritizing assets and their corrections is not enough if we do not have how to follow the progress and evolution in what we are looking for. 

For that, Conviso Platform presents in its Dashboard a series of information that will facilitate the visualization of data such as volume of vulnerabilities, trained people and many others.

Through the information extracted from the analyses, it is possible to create playbooks that will help in the visualization of KPIs. 

As we put in our article about the importance of communication, Conviso Platform allows a constant and direct exchange between team members, enabling the exchange of experiences and process improvements.

This way, we can help managers to better visualize the processes in their area.

What are your policies and legal requirements?

When talking about Governance, we talk about building a structured and an usable management model. 

In this way, we have to rely on platforms that help us to maintain this planning, otherwise we will only have a good desire to manage our structure without an adequate form of plan validation. 

Conviso Platform can ensure that when thinking of all requirements, whether legal, contractual or even SLA, these are monitored and kept under control. 

Likewise, internal and external security standards must be conducted to ensure compliance, and that this compliance is aligned with the business objectives of the company.

Again, through our AppSec tool it is possible for the team to create playbooks that describe the requirements to be followed and how they should be working within software security.

Once these documents describe the structure, it’s possible to link them to the analysis ensuring that the recommendations and guidelines will be followed even if the developer has no direct knowledge. In the same way, playbooks can create prescriptive testing and validation guidelines that speed up the team’s day-to-day applicability.

In addition to all these points, playbooks can serve as a documentation of all regulations that must be followed by development teams, speeding up the validation and testing process.

Publishing Knowledge

Documenting, creating directives and demanding best practices is useless when we do not have a well-trained team armed with the best information.

Within the Governance process, following this evolution, or even having information on how we can get ahead of some problems is fundamental. 

Within Conviso Platform we can present data that will deliver control over what the development teams’ understanding and learning needs are, making it possible for the manager to create their training plans.

It is possible to focus on creating the conditions for teams to have all the capacity to execute their activities in the best way possible, without the need of  interference at every moment from the managers.

One of the most recurring themes among teams is that there is a need to maintain a constant training cycle that can deliver knowledge about best practices and safety awareness to teams.

At each cycle, the organization must create a solid knowledge base and this enables the distribution of knowledge not only among developers, but also among other areas of the company.

Through the Conviso Platform documentation structure, it is possible to build documentation (playbooks) that can be the basis for an onboarding process, which will be done in a structured way.

In the same way, the platform can deliver to developers the possibility of having access to best practice of development guides, created and maintained within the platform itself. The platform itself is a direct communication channel between all the teams and allows the exchange of experiences and knowledge.

We believe that a well structured platform is a great step in the search for success in building and maintaining an efficient secure development process.

Nova call to action
About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

An overview on the CVE-2021-41020

The subject of this article is the vulnerability CVE-2021-41020 – which I have found in the…
Read more
Application Security

Do tools solve problems in AppSec?

Let’s talk about using application security tools? How important is this and how can it solve…
Read more
Application Security

What are SAML and OAuth2 and the difference between them

Within the most current concepts for secure development, dealing with the authentication aspect is…
Read more

Deixe um comentário