In software development since 1989 and in information security since 2003, Vertscend develops secure and compliant software and provides cybersecurity consulting services.
Secure software development includes enabling software security (security requirements planning, designing a software architecture from a security perspective, adding security features, etc.) and maintaining the security of software and the underlying infrastructure (source code review, penetration testing).
The introduction of security practices will naturally increase the time and effort required for each SDLC stage. For example, strict code reviews lead to up to 20-30% coding time increase in comparison with a usual software development project. At the same time, it helps save millions in the future: the average cost of a data breach was reported to reach $3.86 million in 2020.
In software development since 1989 and in information security since 2003, Vertscend delivers full-range secure software consulting and development services for enterprises and product companies.
Note: Vertscend focuses both on applying security in software development life cycles and establishing security across the development infrastructure, information storage policies, human resource and supplier management, assets used, communication channels, physical location, business operations, and more.
Development of software with AI capabilities implies building new software or evolving existing software to output AI analytics results to users (e.g., demand prediction) and/or trigger specific actions based on them (e.g., blocking fraudulent transactions).
Supported by AI, an application can automate business processes, personalize service delivery and drive business-specific insights. According to Deloitte, 90% of seasoned AI adopters say that “AI is very or critically important to their business success today”.
The number and the ‘depth’ of security measures will differ depending on the level of security you want to achieve. Below you can find an overview of security aspects and practices Vertscend commonly employs.
At the requirements gathering stage, our security specialists prepare an application risk profile. The document describes possible entry points for attackers and categorizes security risks by the severity level, including their impact and likelihood.
Best practice: Vertscend concentrates on describing only the most likely or severe risks to optimize the effort and time of planning and implementing countermeasures.
Relying on the risk profile as well as organizational security and privacy policies and standards, regulatory requirements (e.g, of HIPAA, PCI DSS, etc.), business analysts elicit and document security and resilience requirements for future software, including:
Vertscend key security deliverable at tis stage: Prioritized security and privacy software requirements.
After Vertscend team designed a high-level software architecture and established the major data flows and data entry points in the future application, they proceed with threat modeling. Our team performs the following activities:
Based on the described security and resilience requirements and threat modeling activities, our team plans:
Best practice: At Vertscend , we make extra effort to ensure that security does not hinder UX. Users are likely to turn security features off if they’re overwhelming.
Threat modeling at Vertscend is typically iterative and spans the entire SDLC cycle, from a high-level architecture (interaction between software modules) to a detailed architecture design and implementation (specific code functions and methods).
Vertscend key security deliverables at this stage: Categorized and ranked security threats, a security risk mitigation plan, and documented secure software architecture.
At this stage, Vertscend developers:
Note: At Vertscend , we are guided by Application Security Verification Standard Project by OWASP (one of the most authoritative organizations in software security) that provides a comprehensive list of secure coding practices and unit tests for developers.
Best practice: Vertscend opts for the automated gathering of information about target software. For example, we often add static application security testing (SAST) and dynamic application security testing (DAST) to CI/CD pipelines to scan each build according to the same scenario and detect where an attack on an app may be introduced.
Vertscend key security deliverables at this stage: developed security features, documented secure code, described vulnerabilities from an automated security code review and unit testing.
At this stage, Vertscend team proceeds with:
Vertscend key security deliverables at this stage: security testing results report describing the uncovered security issues, their risk level, impact, and ways to eliminate them; security monitoring and incident response plan.
Vertscend offers end-to-end development of highly secure applications with minimized security risks at each SDLC stage.
An open-source penetration testing tool designed specifically for testing web applications in the CI/CD pipeline.
Ruby framework for penetration testers and DevOps engineers to evaluate the security of web applications.
An integrated platform for security testing of web applications.
Professional edition – $399 per year.
1 scanning agent = 1 scan at a time. Agents can be reassigned across any websites, applications and URLs.
Introduction of secure software development practices requires additional skills and efforts (usually 20-80% added effort), which makes such projects more costly than those focused on ‘common’ software development.
To calculate the costs of secure development, Vertscend uses different cost estimation models. For example, the COCOMO-II model can estimate costs of incorporated security features:
ΔE (the additional effort required to develop secure software) = E (with security) – E (without security), where E is the level of effort in person/month (PM).
The cost of security depends on:
Vertscend customers that opt for secure software development and invest into eliminating vulnerabilities as early in the SDLC as possible:
Overall, the return on establishing a secure software engineering framework is around 20%.