Software is Cyber’s Weakest Link
Vulnerabilities buried deep in code can bring down even the most well-defended organization. These hidden threats are often difficult to find and even harder to fix.
Using both static and dynamic analysis techniques, our software security assessment personnel pinpoint vulnerabilities that undermine code. We then help you fix issues and harden applications. We also implement enterprise software assurance programs that improve code quality and security across the Software Development Lifecycle (SDLC).
Static, Dynamic and Everything in Between
We lead one of the Intelligence Community’s largest software assurance programs and help organizations across the critical infrastructure community realize Solutions Built on Security(R). Our approach to software assurance and secure core review is based on our experience leading the development of secure solutions.
Our approach to application security assessment uses a combination of static and dynamic analysis techniques – tailored to the tested application(s) – to conduct a thorough code review.
For static analysis, we customize our approach to fit within existing software development processes, in coordination with your development teams. This involves manual analysis, supplemented with automated tools targeted to the specific development language used.
Once in an executable state, we also use dynamic analysis to test code in a run-time environment. We use diverse capabilities and over a dozen open source tools. We also use commercial off the shelf software assessments tools including Veracode and Fortify to help clients meet specific federal and Department of Defense requirements.
Secure Code Review: An Evolving Regulatory Landscape
Adopting an aggressive approach to software assurance and application assessments is a good idea on its own. But government regulators, industry standards bodies and diligent buyers are eager to help nudge you towards making the right decision.
As the risks of insecure code grow more obvious, regulators are increasingly interested in software assurance practices. From code review requirements in the PCI standards to rigorous supply chain projection in the NIST Risk Management Framework (RMF), code review and secure SDLC controls now feature prominently in regulatory schemes.
Our software testing approach aligns to every major compliance standard – including PCI, ISO, NIST RMF, 800-171, and Cyber Framework, RMF for DSS, HIPAA, and FedRAMP. In addition to improving software quality and security, our approach generates the evidence necessary to satisfy regulators and validate security compliance.
Full SDLC Solutions
We help organizations of all sizes integrate software assurance approaches into every phase of the Software Development Lifecycle (SDLC). As an example, we help organizations integrate security into modern DevOps approaches to realize Secure DevOps. For organizations with specific compliance requirements, we implement programs aligned to NIST 800-64 or the OWASP Software Assurance Maturity Model (SAMM).
Specializing in the Hard Stuff
Locking down critical infrastructure, embedded systems, Operational Technology (OT) and Industrial Control Systems (ICS) is a Lunarline specialty. We have expertise with many of the unique systems, languages and development techniques used throughout the critical infrastructure community. These include medical devices, Supervisory Control, and Data Acquisition (SCADA), maritime, satellites, aerospace, weapons and telecommunications systems.