Ensuring product security throughout the development process

Product Security Engineering

Our expertise in product security engineering delivers:

More efficient development

By removing the conflict between security audits and software releases.

More secure products

By making security considerations an intrinsic part of the development.

More motivated engineers

By removing unnecessary workload, and focusing on areas where it is valuable.

Firesand can help:

We want to bridge the gap between your product engineering and security compliance teams, creating a seamless pipeline through which secure, efficient development can occur.

In the days of waterfall planning, with long development windows and infrequent releases, the security audit could sensibly be a major pre-launch milestone. With agile development now the more common methodology, adding a security audit before each release is either a time-consuming ordeal or worse, a barrier that development teams can be tempted to sidestep altogether.

If your security audit process is rigorous, we can provide the additional resources needed to complete the myriad security questionnaires, leaving your engineering teams free to develop superior products.

Where possible, we bring our expertise to bear on the security audit process itself, shaping it to work in partnership with your product engineers, not against them.

Time and again, we see a security audit that is fixated on infrastructure, not product. Sound familiar?

Even beyond fitting into your existing processes and helping you shape them, our team is packed with expert Product Security Engineers and consultants.

We will cultivate a thorough understanding of your products and advise in situations where security controls may get in the way of the products’ goals or the user’s experience. Where necessary, we will provide alternate solutions.

Our experts will also be able to provide manual code review of the riskiest areas of the code-base, e.g. access control, session management, handling of any secrets, APIs, service end-points etc.

They can conduct threat modelling based on the Firesand Threat Modelling process (which is, in turn, based on industry standards and processes), as well as performing general security reviews on the design of the product.

Our Product Security Subject Matter Experts (SME) can provide general consulting and guidance on how to design and develop products securely, with the smallest possible impact on the product itself, and provide informal training and guidance for Product Engineers as they develop the product.

Furthermore, our SMEs are able to help with understanding and interpreting the results of any other form of security analysis carried out on the product, such as Static Application Security Testing (SAST), through tools such as Checkmarx, SonarQube, Coverity, etc.; Dynamic Application Security Testing (DAST), through tools such as Checkmarx, Qualys, Acunetix, and so on; Integrated Application Security Testing (IAST), e.g. Checkmarx; and, of course, Penetration Testing results.

In all cases, we can help identify false positives, and interpret the findings based on the context of the product itself, e.g. a medium finding in a Penetration Test may, in reality, be a low finding, or perhaps even a critical finding – based on the context of what the product us, who is intended to use it, and where it is intended to be used etc.

We are reforming traditional security processes to make them work for each client.

- We have the dedicated resources to meet every business’ requirements

- You can leave the filling in of hundreds of forms to us

- Our approach is flexible and innovative, based on risk

- We can help other teams learn how to work in a new, more effective manner

There are no pre-defined rules or checklists that we’ll bend your product to fit into; we believe in the individuality of our clients and their products, and adapt our security approach accordingly. We won’t force a testing or security regime on you; our goal is to work with you to come up with a system that fits your specific requirements.

At Firesand, we’re not just a team of Product Security Engineers. We can also offer a wide range of security services, including:

- Managed security services, such as Managed Vulnerability Scans and Managed Web Application Scans, through our partnership with Qualys.

- Penetration Testing: with highly qualified testers who have trained others at world renowned hacking conferences.

- Product Engineers: we can offer formal online secure software engineering training, which covers: security basics, common vulnerabilities, how to design securely, how to develop security, and how to test for security.