SD Elements: Threat Modeling

Promote this Nomination

Additional Info

Company (that provides the nominated product / solution / service)Security Compass
Company size (employees)100 to 499
Type of solutionSoftware

In 3 bullets, summarize why this product or service is different from the competition and deserves recognition:

• Security Compass’s automated threat modeling offering is interwoven into a holistic and comprehensive approach to application security, threat management and compliance for DevOps environments. SD Elements delivers solutions for all enterprise use cases – business, security, and risk & compliance. By helping agile organizations shift security left, building security requirements and threat management into the software development lifecycle from the start, organizations can threat model and manage risk cost effectively and at the speed business demands.
• SD Elements not only provides organizations with effective and easy automated threat modeling, but it creates an auditable record of all threat management activities. New and rigorous cybersecurity laws like GDPR and NY DFS require companies not only to follow secure development procedures, but also be able to prove compliance to regulating bodies. SD Elements makes this, and corporate accountability easy. If a company is hit with a data breach, CIOs and CISOs can prove that the company was following proper application security policies or, alternatively, identify what and who was responsible for the breach.
• In addition to the first-of-its-kind ASRTM platform, Security Compass also offers advisory services and robust training capabilities to help organizations train and nurture skilled developers proficient at building secure software. Offering an industry first in (ISC)2 accredited courses with Software Security Practitioner (SSP) Suites, Security Compass's training is designed to meet the agile needs of today's modern organizations through adaptive courseware that tailors to what a student needs to know. Security Compass’s training content integrates into SD Elements, offering developers just-in-time cybersecurity training as they build security into applications according to the requirements generated by automated threat modeling.

Brief Overview

There’s a new, burgeoning category in security: Application Security Requirements and Threat Management (ASRTM). Defined by Gartner as being “used for automating security requirements definition, risk assessment and threat modeling, often with Software Development Lifecycle (SDLC) integration…” SD Elements from Security Compass is a true ASRTM platform that includes automated threat modeling capabilities.

With SD Elements, development teams and security professionals can generate comprehensive threat models to manage risk in homegrown applications or third-party software. It starts by answering a short questionnaire about the technical profile of the application. Once SD Elements has this information, it can automatically generate a set of threats that apply to the application. Detailed countermeasures are then compiled from the company’s proprietary security database and automated throughout the software development lifecycle (SDLC). The primary innovation of SD Elements is that it does not stop at the end of the threat model. Actionable tasks for developers and testers are driven and tracked through the entire SDLC.

After an application is modeled in SD Elements, continuous updates about new vulnerabilities, compliance standards, and defenses are delivered into development processes, helping teams stay up-to-date with emerging threats. For critical, high-risk apps, Security Compass offers manual threat model in conjunction with SD Elements automated capabilities to capture domain-specific and domain-agnostic threats. Manual threat modeling requires breaking down the application’s components in a data flow diagram to define assets and trust boundaries. Use cases are manually examined to determine potential threats. Outputs from a manual threat model can then be entered into SD Elements for security requirements tracking and automation.