elfCONSULTING - Partner in Secure Software Development

Software development done in a secure way is a comprehensive process. elfGROUP offers both highly targeted service packages and an ongoing partnership to develop security practices.
Secure software development and the concept of software assurance don’t only tackle hacker attacks and data thefts, but the aim is also to provide cyber resilience, secure availability of the system, and make information security both visible and measurable so that it is a concrete and significant goal for everyone in the organization.

Would you like to discuss with us to find the best suitable service package for your organization? Contact us and let's talk more! 

 

Secure Software Development

Business comprehension

Business comprehension

Business risks

Business risks

It is best to start with a risk assessment before creating a requirements specification. It is important to understand what the role of a software project for the business is, what could go wrong, and what kind of risks could become reality. This makes it possible to establish corporate level cyber security requirements. elfSURVEY – Cyber Security Survey is an excellent tool for investigating the security level of an organization and for creating a development plan.

Software/product level risk assessment

Software/product level risk assessment

Security requirements at the product level

Security requirements at the product level

Software or product level risk assessment models e.g. data flows and trust boundaries to understand the system architecture and operations. At the heart of cyber risk assessment is threat modelling, which can be done in a collaborative manner using different frameworks. For example, in the elfSWEEP – Cyber Security Conformity Assessment, ISO 27001 or elfGROUP CyberSafe Certificates can be selected as the framework. STRIDE memory rule may be used to model threats. Mitigation processes are defined to prevent and mitigate threats, and that brings us to security requirements at the product level.

When the goal is comprehensive security throughout the software development project, it is recommended to conduct a Cyber Security Overview workshop in the early phases of the cooperation.

Functional / non-functional requirements

Functional / non-functional requirements

Making security a concrete part of software development requires that security is always considered when defining functional and non-functional requirements. The technical security requirements are often invisible to the user, but very important for security and system availability. Specific security requirements ensure that the finished and approved product is safe, and that the safety is not overridden by software production scheduling pressures.

Secure software development

Secure software development

Phases of secure software development include for example requirements specification, design, actual coding, and steps of testing of units and modules. The goal is to create secure code that fulfils certain functionalities and criteria. Management of third-party components, as well as auditing and ensuring their safety, is also one of the critical parts of this entity. However, the system’s overall security level is where the security level of the weakest link is. Policies to ensure secure software development can be developed through the improvement areas that have been identified by e.g. OWASP SAMM analysis.

Verification and testing

Verification & testing

The verification phase covers both functional testing and security testing. The elfATTACK testing service for ethical hacking is a great help to reach an adequate level of security testing. So-called penetration testing (or pentesting) is often used for hacker testing, where, for example, the security of an information system or company's servers and networks is tested by attacking the target environment by the means of malicious hacking.

The overall journey from requirements management to secure development, testing phases and production environment management should be examined with Secure Software Development Lifecycle (Secure SDLC). The basic idea in software development lifecycle model is that security is considered and enforced at every step of the way.

Deployment

Deployment

Operations

Operations

Once the system has been tested and approved, it can be used for production purposes. However, that doesn’t mean its development and security assurance would end at this phase. Continuous updates, coordination of change management, and data lifecycle management are equally important things to consider from a security perspective. For example, backups may pose a risk of data leakage to an otherwise well-protected system. DevSecOps policies also help to take an information security perspective into production and deployment models of agile system development, seamless integration, and continuous delivery.

Retirement

Retirement

Even at the end of the life cycle, when the system teardown is in progress, there is need to take care of the data lifecycle management to ensure that there will be no security problems.



 

From Cyber Security Assessment to Comprehensive Security Work

The elfGROUP service portfolio includes individual assessment and development services, certification packages and comprehensive security partnership options based on monthly contract models. Ask more from our sales team and we will work together to tailor a service package that suits your needs!

CONTACT US

 

elfCONSULTING-flow-EN

The elfCONSULTING service model  assigns workdays per month to the development of security work as required by the customer. Cooperation begins with a roadmap workshop, where the areas are defined for the first months or, for example, for first half-a-year period. It is often advisable to start with the Cyber Security Assessment, for example using OWASP SAMM or ASVS frameworks. Assessment reveals development areas where cooperation can be further deepened in the form of workshops, training, testing, assessments or certifications. Each customer's path in the elfCONSULTING collaboration model is unique and is constantly evolving throughout the collaboration.

 

Read about our customer FCG Talent on their journey as an elfCONSULTING customer!

READ THE BLOG

 

 

 

Read more from our blog

case-FCG-Talent

Read about our customer FCG Talent on their journey as an elfCONSULTING customer

 

Interested to learn more?

 

In our blog series, we write about cybersecurity domain in general, our service and product offerings as well as show case some of our customer cases. The blog posts are categorized by service types.

Read elfCONSULTING related articles

 

Further enquiries

Tuomas Tonteri, p. 040 356 3251

See other contact information