Even beyond fitting into your existing processes and helping you shape them, our team is packed with expert Product Security Engineers and consultants.
We will cultivate a thorough understanding of your products and advise in situations where security controls may get in the way of the products’ goals or the user’s experience. Where necessary, we will provide alternate solutions.
Our experts will also be able to provide manual code review of the riskiest areas of the code-base, e.g. access control, session management, handling of any secrets, APIs, service end-points etc.
They can conduct threat modelling based on the Firesand Threat Modelling process (which is, in turn, based on industry standards and processes), as well as performing general security reviews on the design of the product.
Our Product Security Subject Matter Experts (SME) can provide general consulting and guidance on how to design and develop products securely, with the smallest possible impact on the product itself, and provide informal training and guidance for Product Engineers as they develop the product.
Furthermore, our SMEs are able to help with understanding and interpreting the results of any other form of security analysis carried out on the product, such as Static Application Security Testing (SAST), through tools such as Checkmarx, SonarQube, Coverity, etc.; Dynamic Application Security Testing (DAST), through tools such as Checkmarx, Qualys, Acunetix, and so on; Integrated Application Security Testing (IAST), e.g. Checkmarx; and, of course, Penetration Testing results.
In all cases, we can help identify false positives, and interpret the findings based on the context of the product itself, e.g. a medium finding in a Penetration Test may, in reality, be a low finding, or perhaps even a critical finding – based on the context of what the product us, who is intended to use it, and where it is intended to be used etc.
We are reforming traditional security processes to make them work for each client.
- We have the dedicated resources to meet every business’ requirements
- You can leave the filling in of hundreds of forms to us
- Our approach is flexible and innovative, based on risk
- We can help other teams learn how to work in a new, more effective manner
There are no pre-defined rules or checklists that we’ll bend your product to fit into; we believe in the individuality of our clients and their products, and adapt our security approach accordingly. We won’t force a testing or security regime on you; our goal is to work with you to come up with a system that fits your specific requirements.
At Firesand, we’re not just a team of Product Security Engineers. We can also offer a wide range of security services, including:
- Managed security services, such as Managed Vulnerability Scans and Managed Web Application Scans, through our partnership with Qualys.
- Penetration Testing: with highly qualified testers who have trained others at world renowned hacking conferences.
- Product Engineers: we can offer formal online secure software engineering training, which covers: security basics, common vulnerabilities, how to design securely, how to develop security, and how to test for security.