Creating and implementing a secure application development process can be challenging. There are so many project-specific vulnerabilities and requirements that make it hard to cover everything at the outset. Many organizations try to identify security defects early on with code scanning (i.e., Static Analysis Security Testing or SAST). Their goal is to catch and fix security errors before releasing their software. However, one of the challenges that organizations experience is managing the results delivered by SAST/DAST tools. The often unreliable results produced by code scanners can limit organizations’ ability to scale their programs to a large number of applications.
The Problem with Scanners
A major financial institution experienced this problem first-hand while onboarding applications into their SAST program. They found themselves struggling to manage a large number of scanner results. The scanners often missed critical issues and produced false alarms. Also, having limited availability of people with the necessary skills made it difficult to keep up with the amount of work. A single employee could only onboard 111 applications into the program per year, which meant that scaling the program would tie up valuable resources. In general, it was difficult for them to streamline and integrate their application security process with an agile development workflow.
Scaling Threat Modeling Activities is Hard
When this major financial institution began creating a threat modeling program, they wanted the activity to scale to a large number of applications, without all the overhead and unanticipated work that they experienced with their SAST program.
To onboard applications faster, the organization adopted and implemented SD Elements. This platform enabled automated threat modeling and built security requirements into their application security program. A single employee was able to onboard 240 applications in 4 months (while only spending half of their time on it). The initial run was so successful that they eventually onboarded 1500 high-risk applications and made it part of their standard development process. SD Elements scaled over 12x faster than their static analysis program.