darlowie

cybersecurity and software development lifecycle consulting

methodology

Security Testing Process

Initial observations

The Software Development Lifecycle (SDL) blends tools with engineering expertise to deliver functional outcomes that drive business value. In practice, functionality often takes precedence over security—an understandable priority in commercial software development.

Recognizing early on that SDL-related security is often seen as a business expense, we focus on demonstrating its value through measurable outcomes and scalable support models. Here’s how we deliver that value:

  • Interactive Security Seminars We offer a broad range of in-person and remote sessions designed to foster developer engagement. These seminars can serve as bookends for self-study efforts, and the outcomes can be tied to individual or team development KPIs—bridging knowledge with performance.
  • Security Uplift Programs Acting as supervisors rather than service providers, we guide the client’s workforce through targeted uplift initiatives. This model significantly reduces consulting costs while empowering in-house teams to acquire enduring security skills.
  • Flexible Engagement Models Our process respects the client’s timeline and operational pressures. Engagements are tailored to minimize disruption—especially during critical delivery windows—ensuring security improvements fit seamlessly into existing workflows.

Security and Functional Testing

As highlighted in the study Hackers vs Testers: A Comparison of Software Vulnerability Discovery Processes, there is a distinct difference between functional and security testing approaches. Functional testers—and often developers—may lack the specialized training and mindset required to identify security vulnerabilities. Understanding the development team’s capabilities in security testing is therefore an essential step in strengthening the software’s resilience.

To support this, we host interactive seminars for developers and testers focused on security testing practices. These sessions are typically held remotely over two hours and follow a structured agenda. Insights from the discussion directly inform our SDL uplift recommendations.

Depending on team objectives, the seminar can also serve as a targeted training opportunity—expanded with customized content, and extended duration, to foster engagement and learning.

Threat Modeling Process

Threat Modeling (TM) is a critical yet often underutilized component of secure software development. While formal methodologies like STRIDE offer structured approaches, they also demand significant time and resources to maintain—especially in Agile environments where frequent design iterations can quickly render TM models outdated. A common anti-pattern is the creation of a TM model at project inception, followed by minimal updates or retrospective revisions once development is complete.

To evaluate the development team’s familiarity with TM practices, we’ve adopted the self-assessment framework outlined in Investigating Threat Modeling Practices. This tool not only helps gauge TM awareness but can also be repurposed into interactive training sessions or seminars tailored to team needs.

Insights gained through the TM discovery process feed directly into targeted uplift recommendations, helping to embed sustainable threat modeling habits across the software lifecycle.

This part of methodology matches following frameworks:

Our Use of Large Language Models (LLM)

Our expertise in Large Language Model (LLM)-driven document analysis—enhanced by custom contextual frameworks—enables us to perform sophisticated security and velocity assessments with high cost-efficiency. These assessments include:

  • Security Issue Attribution
  • Relative Risk and Development Velocity Analysis of Competing Software Projects

We combine structured data analysis using variants of Structured Query Language (SQL, JQL, KQL) with LLM-powered processing of unstructured text across diverse formats, such as technical documentation, project artifacts, and communication records.

To ensure full confidentiality and prevent data leakage, we can deploy LLM instances directly within the client’s enterprise environment—delivering deep insight without compromising data security.

More information can be found in relevant sections below.

Security Issue Attribution

The following are the core objectives of this assessment:

  • Identify whether each issue is security-related, leveraging Large Language Model (LLM) capabilities to extract and interpret nuanced context from textual records.
  • Conduct root cause analysis to uncover underlying factors contributing to each issue.
  • Aggregate data and perform trend analysis across issues to reveal recurring patterns and systemic risks.
  • Provide actionable recommendations to enhance security posture and development practices.

This assessment requires broad access to relevant documentation and archives. It can be carried out by client personnel under our guidance.

his part of methodology matches following frameworks:

  • NIST SP 800-218 SSDF v1.1 Section RV.3

Relative Risk and Development Velocity of Competing Software Projects

This assessment is designed to capture key Secure Development Lifecycle (SDL) metrics that support informed business decision-making.

To objectively measure development velocity, we reference industry benchmarks published in the DORA 2024 Report. In addition, we apply a comprehensive set of Key Performance Indicators (KPIs) recognized by leading Agile practitioners, including:

  • Code Quality
  • Defect Density
  • Lead Time
  • Sprint Velocity
  • Customer Satisfaction
  • Deployment Frequency
  • Test Coverage
  • Change Failure Rate
  • Retrospective Action Completion
  • Technical Debt

The assessment requires access to SDL-related documentation and CI/CD pipeline logs to ensure accurate analysis. We also leverage Large Language Models (LLMs) to process unstructured content and extract meaningful insights from free-format documents.

Security Issue Process Improvement

Security-related issues should be managed distinctly from functional bugs to ensure proper prioritization and visibility. Enhancing issue forms with specialized tags and metadata enables more accurate filtering and analysis across bug-tracking platforms such as Jira—using tools like custom JQL queries and dedicated dashboards.

The practice of attributing security issues separately offers multiple advantages:

  • Enables objective evaluation of Secure Development Lifecycle (SDL) maturity
  • Highlights vulnerable code areas and at-risk projects for targeted remediation
  • Facilitates clear, constructive feedback loops between security and development teams

We bring extensive experience in mining large-scale bug databases, uncovering patterns in security gaps, and delivering actionable feedback to development organizations to drive continuous improvement.

This part of methodology matches following frameworks:

Security Playbooks in SDL

Security playbooks are a staple of Incident Response (IR), serving as essential tools for cybersecurity teams. Yet within the Secure Development Lifecycle (SDL), their value is often not recognized. We specialize in crafting custom SDL-focused playbooks that address unique development-phase threats. These tailored guides provide actionable steps for assessment, mitigation, and resolution.

Examples of SDL-specific threat scenarios include:

Malicious Developer Behavior Although rare, insider threats from trusted developers can result in severe business impact. A dedicated playbook outlines a clear sequence for investigation, containment, and remediation.

Third-Party Component Takeover A compromised open-source dependency or vendor component can create persistent vulnerabilities. SDL playbooks help proactively detect and respond to these threats before widespread impact occurs.

Data Leakage during Development Exposure of sensitive assets—such as keys, credentials, or personally identifiable information (PII)—can occur through insecure practices. Our playbooks define protocols to identify, isolate, and secure compromised data efficiently.

Application-Level Denial of Service (DoS) Whether caused by flawed design, misconfigurations, or targeted attacks during development stages, DoS risks can be managed through structured response frameworks integrated into SDL.

By embedding these playbooks into your SDL processes, you empower development teams to respond swiftly and consistently to emerging risks—bridging the gap between engineering and security.

This part of methodology matches following frameworks:

Application Logging and Monitoring

Traditionally, logging and monitoring responsibilities have been delegated to operations teams. This separation can lead to coverage gaps and misinterpretations—especially when application logs aren’t adequately parsed or aligned with security needs.

Modern solutions now incorporate advanced features such as user behavior analytics and data loss prevention, significantly increasing the complexity of Extended Detection and Response (XDR) and Security Operations Center (SOC) workflows. Seamless integration of application logs with these systems is key to unlocking near real-time detection and response capabilities.

We bring extensive experience in testing and auditing application logging and monitoring frameworks. Whether as part of a broader Secure Development Lifecycle (SDL) uplift or a targeted assessment, we help ensure your logging architecture delivers clarity, coverage, and security at scale.

Risk Register and Technical Debt

A Risk Register captures potential threats that may impact a project’s success. While technical debt is broadly considered a risk, individual items within it can compound or intensify existing entries in the Risk Register. Recognizing and mapping these correlations is vital—and should be directly factored into the scheduling process.

In Agile environments, we’ve helped organizations enhance their scheduling strategies by integrating insights from beyond the traditional secure development lifecycle (SDL). This broader decision-making approach improves visibility, prioritization, and long-term resilience.

Access Control for Developers

Access management is a critical component of software security, yet several recurring anti-patterns expose organizations to unnecessary risk. One such issue is “developer access creep”—the gradual accumulation of privileges over time. Without regular User Access Reviews, this can lead to excessive and unchecked access across environments.

Another vulnerability lies in incomplete offboarding procedures. Developers often participate in multiple projects and accumulate disparate credentials. If not properly revoked upon departure, these credentials can remain active, posing a threat to organizational assets.

Third-party contractors with source code access also introduce potential security concerns. Effective oversight of external personnel and structured access controls are essential to reduce exposure.

With our robust expertise in access control audits and procedural design, we help organizations identify gaps and implement resilient, automated access management frameworks.

This part of methodology matches following frameworks:

  • NIST SP 800-218 SSDF v1.1 Section PO.2

SDL-related Asset Discovery

Many organizations we’ve supported have encountered the challenge of “gray assets”—residual cloud resources that persist unintentionally due to flaws in automation and deployment practices. Although Infrastructure as Code (IaC) offers powerful automation capabilities, bugs in IaC scripts can cause assets to remain even after the infrastructure is decommissioned.

Another common anti-pattern is experimentation outside of the official CI/CD pipeline, which can also contribute to the proliferation of undocumented or unmanaged assets.

We bring deep expertise in reviewing IaC code to identify and remediate such issues. Additionally, we offer asset discovery services to help organizations uncover and manage stray resources, reducing operational and security risks.

Third-party Component Management

Developers rely on a wide array of third-party components to accelerate software delivery. To safeguard quality and security, organizations must implement an automated onboarding process that ensures each component meets established standards. This includes integrating Software Composition Analysis (SCA) tools and automated quality checks into the onboarding workflow.

Once approved, components should be continuously monitored for known vulnerabilities and updates. Any components that are abandoned or no longer maintained should be proactively replaced to minimize security risks.

We bring extensive experience in evaluating the integrity of third-party software and can help you design and implement streamlined, automated procedures to manage these dependencies effectively.

This part of methodology matches following frameworks:

Feedback on Issues

Key indicators of a mature and secure development lifecycle (SDL) include a well-structured feedback mechanism and organizational transparency.
Questions that can reveal the strength of the organization’s commitment to software quality and security:

  • How is feedback to the development team organized?
  • Who is authorized to raise security concerns?
  • Does the team have a process for reviewing and commenting on design changes?

An open and inclusive feedback channel reflects a healthy SDL culture that encourages collaboration and continuous improvement. With our expertise, we help organizations enhance these processes to elevate both security and overall software quality.

CI/CD Tooling

We are strong proponents of automated testings. CI/CD pipeline presents an opportunity to establish quality gate early.
Following categories of tools directly affect quality and security of applications.

  • SAST – Static Application Security Testing
  • DAST – Dynamic Application Security Testing
  • SCA – Software Composition Analysis

We will supervise SDL process improvement to ensure the tools are used in effective way.

This part of methodology matches following frameworks:

Authentication and Authorization Guidelines for SDL

To strengthen the organization’s security posture, it is essential to establish clear and comprehensive guidelines for developers on implementing authentication and authorization mechanisms within applications. A significant proportion of security vulnerabilities stem from poorly executed user management practices. Furthermore, third-party B2B interfaces created by developers introduce an additional attack vector that may lack sufficient protective measures.

We can review developer standards and guidelines and suggest improvements.

OSINT in SDL

Default deployment paths can inadvertently expose an organization to Open Source Intelligence (OSINT) collection. This risk has long been present in on-premises environments and persists in cloud-based deployments through discoverable application endpoints, unsecured storage buckets, and publicly accessible Office365 user listings.

Leveraging our extensive OSINT expertise, we can assess your exposure and deliver tailored recommendations to mitigate these risks.

Additionally, developers’ online activity—including social media profiles and public technical discussions—may unintentionally disclose sensitive technology information. We offer OSINT analysis to evaluate the impact of such digital footprints and strengthen your organization’s information security posture.