The Problem: Today's business environment is faced with ever-increasing challenges to meet regulatory and shareholder expectations for securing applications despite a significant shortage of available cyber-security talent in the workforce. The typical approach to application security training is very tactical in nature, and serves only as an introduction.
Our Solution: To meet this challenge, Secure Ideas has developed a strategic program comprised of ongoing training and access to expertise. This model is similar to a traditional trades-person apprenticeship program, mixing on-the-job training and structured study. Secure Ideas calls this program the Strategic Application Security Testing and Advisory (SASTA) service, and it is built around a set of resources and activities designed to provide ongoing support to grow expertise within organizations.
SASTA is made up of three main components: Training, Advisory, and Assistance, and is flexibility to fit the needs of both application security and software development teams.
All pricing is at a monthly rate for twelve months of access to the program.
Members get access to all of the web application security content recorded in our learning management system at training.secureideas.com. This includes full-length training and shorter webcasts and workshops.
Secure Ideas will supplement recorded trainings with one-on-one or small-group training sessions to cover concepts and tools in more detail. These sessions can be scheduled to run from 30 minutes to two hours depending on the topics to be covered. Sessions covering general topics may be recorded and added to the LMS for other PASTA members. At least two sessions will be conducted each month.
SASTA members get a direct line to application security expertise through online chat (e.g. Slack). This channel is intended to provide quick expert answers to simple scenarios and advice such as risk-ranking or verbiage of findings. Secure Ideas monitors this channel during business hours.
Secure Ideas provides SASTA members with some flexible consulting time to assist with items such as providing direction in integrating security testing with the SDLC or reviewing software design and architecture to point out potential areas of interest.
We want to make sure SASTA members become productive application security experts. Whether an appsec team member is stuck while conducting an application penetration test, a developer needs help understanding static analysis result, or any number of scenarios where they need a quick second set of eyes on something, they have the option of scheduling a 15-30 minute web meeting with a Secure Ideas expert, getting assistance through a screen-share session.
The report is often considered the most important part of a penetration tester's job. SASTA therefore includes an option to have a Secure Ideas consultant review the penetration test reports that are produced by your team member, with the goal of improving the quality of their report writing. This review will consider items such as overall report format, the risk rankings of findings, accuracy of vulnerability descriptions and remediation suggestions.
This service is the Secure Ideas solution for rapid web application penetration tests. It consists of a hybrid manual, and automated test that is time-boxed with a priority focus on high-to-low risk items. This is for those situations where teams are overwhelmed, understaffed, and just need someone to jump in and conduct a test and provide a report. Web Scout is an optional addition to SASTA.