Strategic Application Security Testing & Advisory
Secure Ideas has developed a strategic program comprised of ongoing training and access to expertise. This model is similar to a traditional trades-person apprenticeship program, mixing on-the-job training and structured study. Secure Ideas calls this program the Strategic Application Security Testing and Advisory (SASTA) service, and it is built around a set of resources and activities designed to provide ongoing support to grow expertise within organizations.
Components
The Training Component
Members get access to all of the web application security content recorded in our learning management system at training.secureideas.com. This includes full-length training, and shorter webcasts and workshops.
Tactical Learning:
Secure Ideas will supplement recorded training with one-on-one or small-group training sessions to cover concepts and tools in more detail. These sessions can be scheduled to run from 30 minutes to two hours depending on the topics to be covered. Sessions covering general topics may be recorded and added to the LMS for other SASTA members. These sessions will be conducted at least six times each year.
The Advisory Component
SASTA members get a direct line to application security expertise through online chat (e.g. Slack). This channel is intended to provide quick expert answers to simple scenarios and advice such as risk-ranking or verbiage of findings. Secure Ideas monitors this channel during business hours.
Consulting:
Secure Ideas provides SASTA members with some flexible consulting time to assist with items such as providing direction in integrating security testing with the SDLC or reviewing software design and architecture to point out potential areas of interest.
The Assistance Component
We want to make sure SASTA members become productive application security experts. Whether an AppSec team member is stuck while conducting an application penetration test, a developer needs help understanding static analysis result, or any number of scenarios where they need a quick second set of eyes on something, they have the option of scheduling a 15-30 minute web meeting with a Secure Ideas expert, getting assistance through a screen-share session.
Report Review:
The report is often considered the most important part of a penetration tester's job. SASTA therefore includes an option to have a Secure Ideas consultant review the penetration test reports that are produced by your team member, with the goal of improving the quality of their report writing. This review will consider items such as overall report format, the risk rankings of findings, accuracy of vulnerability descriptions and remediation suggestions.
WebScout
This service is the Secure Ideas solution for rapid web application penetration tests. It consists of a hybrid manual, and automated test that is time-boxed with a priority focus on high-to-low risk items. This is for those situations where teams are overwhelmed, understaffed, and just need someone to jump in, conduct a test, provide a report. WebScout is an optional addition to SASTA.
Testing Credits
Shifting left is critical to the continued security in organizations. Most development is made better by moving security earlier in the process. But the traditional penetration testing of web applications and APIs doesn't fit well in the earlier stages of the software development lifecycle (SDLC).
Secure Ideas has created a process of testing credits to help solve these issues (especially when paired with SASTA). An organization can purchase credits to use over the next 24 months. Combined with a self-scoping system, these credits allow an organization to work with Secure Ideas within their development processes.
