is agile security an oxymoron?

Is "Agile" bad for security?
Is "Waterfall" good for security? 
How do you incorporate threat modeling into Agile delivery paradigms without creating bottlenecks?

image credit: Henrik Kniberg "What is Scrum?"

the challenge

How do you ensure Security stays at the beginning of SecDevOps?

Developers

Developers aren't security experts

Security Experts

Security experts aren't developers 

Evading Requirements

Is Agile an excuse to avoid documenting requirements?

Bottlenecks

Security teams aren't geared for Agile and often become bottlenecks or impediments to progress

Insecure Design

All the static testing, dynamic testing, vulnerability scans, and pen tests in the world won't fix fundamentally insecure designs.

our solution

We equip & mentor your agile squads to create consistent threat models

Minimum Viable Flow Diagrams

Create consistent data flow diagrams based on the six most common usage patterns, or develop your own custom flow diagrams

Multi-Scenario Risk Profiler

For each pattern, develop a multi-dimensional risk profile to aid in assessing risk

Threat-Risk
Modeler

Using our prebuilt but extensible library of threat types, threat actors, and threat actions, quickly develop detailed threat-risk analysis

Business Impact & Control Analyzer

Enable technical and business teams to collaborate on identifying appropriate, actionable control plans based on risk reduction and business impact

solution details

We provide expert consultative guidance backed up by
data flow templates and a robust threat-modeling tool

Our threat modeler starts by developing a multi-dimensional risk profile based on the six most common data flow patterns. For each pattern, the tool allows risk assessors to identify and analyze the threat types, threat actors, and threat actions. For each identified threat vector, the risk assessor can then apply organization-specific control plans to measure the risk reduction value of technical controls designed to mitigate the threats. The tool automatically generates inherent vs. residual risk heat maps to help visualize control plan effectiveness.

solution value

Our inventive solution provides a highly cost-effective way
to ensure the "Sec" stays at the beginning of SecDevOps

Essential

“Essentials” gleaned from high performing cybersecurity programs

Expert

Content crafted by cybersecurity experts and professional educators 

Experienced

Accepted practices compiled from hundreds of engagements 

Expedited

Agility delivered in compressed time and at reduced expense 

Enhanced

Initial investment credited toward future enhancements 

solution pricing

Our low-risk pricing model allows you to credit initial investment
toward future enhancements when you need it

starter

$ 13,800  
  • Toolkit:
    • Diagram Templates
    • Risk Profiler
    • Threat Modeler
    • Heat Map Generator
    • BIA+Control Analyzer 
  • 2-day accelerator:
    • Worshop 1: Intro to threat types, threat actors, threat actions
    • Worshop 2: Advanced threat diagrams tutorial
    • Worshop 3: Multi-scenario risk profiling
    • Worshop 4: Threat-Risk analysis
    • Worshop 5: BIA + Control analysis
    • Worshop 6: Putting it all together: real life table top group exercise
  • Email support

tailored

$ 31,600  
  • Everything in starter solution, plus: 
  • Tailoring of:
    • Risk Dimensions
    • Risk Taxonomy (including definitions and labels for likelihood, impact, velocity, scope)
    • Busines Impact parameters (including definitions and scales for difficulty, time, cost, and experience )
  • 2-week accelerator :
    • Week 1: starter workshops PLUS taxonomy and defintion workshops
    • Week 2: tailoring of tools PLUS three real life table-top group exercises
  • 1 hr/month phone support

expert

$ 61,200  
  • Everything in tailored solution, plus:
  • Tailoring of:
    • Threat Actor Library
    • Threat Actions Library
    • Control Library
  • 6-week rapid rollout:
    • First 2 weeks: starter workshops and tailored workshops
    • Week 3: Workshops for discovering, defining, and tailoring threat actors and threat types definitions
    • Week 4: Workshops for discovering, defining, and loading controls into control library, including strength of control weightings
    • Week 5-6: Table top exercises and "ride-alongs" on up to 5 real world threats identified in your environment
  • Quarterly checkpoints:
    • lessons learned
    • updates to content
    • ongoing tailoring

embedded

$ 117,800  
  • Everything in expert solution, plus
  • Our embedded expert:
    • 4 sessions per week
    • 6 month term
  • • Participate in weekly standups
    • Participate in solution architecture reviews
    • Develop threat models, including diagrams, tool-generated analysis, and narrative recommendations
    • Ongoing refinement of tailored definitions loaded into the tools
    • Ongoing mentoring of your staff
  • Monthly checkpoints:
    • lessons learned
    • updates to content
    • ongoing tailoring

get started

initiate in three simple steps:

1. agreements

You select solution
We prepare agreements 
NDA & SOW
Licensing & Support
You execute agreements

2. kickoff

We send survey
You complete survey
We send toolkit
We arrange support

3. initiate!

We schedule key events
We complete tailoring
We mentor your squads 
You Deliver Success!

Ready?

Schedule a demo today

schedule a demo