Client need
Project background
A multinational company developing connected devices aspired to improve their software development processes and practices to integrate security better during product development. For the company's reputation, trust for the services and products that it offers is a fundamental requirement for their successful business.
The company was already using an agile software development model, yet the company's traditional security guidelines were disconnected from the development projects.
The project was launched to transform the current agile software development model to include end-to-end security practices (DevSecOps) and build products with a secure software lifecycle for successfully producing services and products that would fulfill the company’s security needs.
Special requirements
The improved framework shall extend the existing model and support the agile development process without creating security gates that would block or slow down development.
The improved framework shall be suitable for both new products and the continuous development of released products.
The company is also developing services and products with varying security requirements. The framework shall support identifying the protected asset and the risk to choose proper risk-based actions and mitigation methods to successfully build the security baseline for services and products. This allows the development teams to focus on the most important security features and controls.
We delivered
Secure SDLC framework
Fraktal provided integration of product security and DevSecOps practices to the existing software development model. To support implementation Fraktal also helped to define the roles and responsibilities needed to support the development teams to successfully implement the improved framework. The framework is designed to support secure software development for new products and maintained products throughout their lifecycle.
Technologies and methods
Threat modeling and risk analysis
We delivered improvements to the client's existing threat modeling and risk analysis procedures.
Security and privacy requirements
The security and privacy requirements can now be tracked and prioritized as part of the normal requirements for a product.
Secure SDLC
We delivered a framework for continuously developing and maintaining the security of software products throughout their lifecycle.
Product security organization
We defined the product security organization with new roles to undertake secure SDLC activities.