Working Relation with YJB
Securestorm works with the YJB, providing Risk Management, Information Assurance, and Operational Security. We have been working with the programme development team to ensure the security needs and outcomes are included in the sprints and that issues are managed in a timely fashion.
Use of Edgescan
Edgescan forms part of a three-level security testing and assurance model, managed by Securestorm for the YJAF development. As the code is developed and committed in the Jenkins toolset it is compared to the OWASP standards using a plugin. This has enabled the development team to fix issues while still working on the code.
When the code has reached a level of maturity and is clearing the security tests, it is moved to a cloud based, user training environment. This was created to enable user testing and training and is Internet connected. The Securestorm team identified that we could use the Edgescan service to provide our second level of security testing. The system has been configured with a representative set of accounts and the credentials configured within Edgescan. This is set to run on aschedule matched to the sprint cycles and the output reports shared with the YJAF development team. This approach has enabled the security issues identified to be included within the overall testing and fixed within the development sprints.When the code has reached a final level of maturity it is moved to the production environment and is subject a targeted government penetration test.
✓ The use of Edgescan has provided regular testing of the developing platform, enabling Securestorm to provide targeted security support. This avoids a single penetration test at the end of the development lifecycle, with the associated delays and impact on going live.
✓ Securestorm received positive feedback from the project when they were given the Edgescan reports as these are very specific around the impacted code. This enabled the developers to review their code within the same Sprint rather than being asked to look at it months later.Integration into JiRA is currently being reviewed.
✓ YJB are happy the approach as they can see that security issues and potential risks are being addressed as part of the development lifecycle. The security testing model using Edgescan as part of the overall test plan has been seen to improve the developed application code.
✓ Securestorm and YJB will continue to use Edgescan with the application framework as it matures to provide continuous monitoring in support of information risk management.