Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Secure SDLC

Secure SDLC

Section titled “Secure SDLC”

5 automated security scanners

Threat Modeling Integration

Section titled “Threat Modeling Integration”

Purpose: The Threat_Modeling_Integration Scanner is designed to detect design-phase security issues and ensure compliance with security requirements by analyzing company documentation, public policies, trust center information, and compliance certifications. It aims to identify potential vulnerabilities and gaps in the organization’s security posture before they can be exploited by external threats.

What It Detects:

  • Security Policy Indicators: The scanner identifies the presence of a comprehensive security policy within company documents, ensuring that there is a clear framework for handling security incidents and protecting sensitive information.
  • Maturity Indicators: It verifies the presence of relevant compliance certifications such as SOC 2 and ISO 27001, which are crucial for demonstrating adherence to industry standards in managing cybersecurity risks.
  • Company Security Documentation Review: The scanner evaluates the completeness and accuracy of internal security documentation, cross-referencing with public policy pages to ensure consistency and transparency.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com), which is essential for scanning various sections of the company’s website to extract relevant information.
  • company_name (string): Company name for statement searching, used to identify and verify security statements within documents related to the organization.

Business Impact: This scanner plays a pivotal role in enhancing the overall security posture of an organization by proactively identifying potential threats during the design phase. It helps ensure that all aspects of cybersecurity are adequately addressed before deployment, thereby mitigating risks associated with post-deployment vulnerabilities and breaches.

Risk Levels:

  • Critical: The risk is critical if there are significant gaps in documented security policies or compliance certifications that could lead to severe data breaches or non-compliance issues.
  • High: High risks exist when important security aspects such as incident response procedures, data protection measures, and access controls are either undocumented or not consistently applied across the organization’s channels.
  • Medium: Medium risk is indicated by partial compliance with security requirements or outdated information in documentation that may still pose a significant threat if exploited.
  • Low: Low risks pertain to minor deviations from ideal security practices that do not significantly impact overall cybersecurity but should be addressed for continuous improvement.
  • Info: Informational findings are those that provide valuable insights into the company’s current security stance without posing an immediate threat, which can guide strategic decisions in enhancing the organization’s security posture.

If specific risk levels are not detailed in the README, these inferred levels serve as a general guideline for assessing the severity of potential vulnerabilities and compliance gaps.

Example Findings:

  • The scanner might flag that a critical security policy is missing from the privacy policy section, which could lead to high risks if there’s an incident involving customer data.
  • It might also detect outdated information about penetration testing being conducted last year, indicating a need for real-time or more frequent assessments to stay compliant with current cybersecurity standards.

Developer Security Training

Section titled “Developer Security Training”

Purpose: The Developer Security Training Scanner is designed to assess the security awareness and secure coding knowledge of developers within an organization by evaluating internal documentation, policy reviews, and manual evaluations. This tool helps identify gaps in training programs that could lead to vulnerabilities in software development processes.

What It Detects:

  • Security Policy Indicators: Identifies the presence or absence of key security policies such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Maturity Indicators: Checks for compliance certifications and maturity models like SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Documentation Accessibility: Assesses the availability of company security documentation on internal servers or accessible repositories.
  • Public Policy Pages: Scrapes public policy pages to ensure that critical security information is publicly available and up-to-date.
  • Trust Center Information: Reviews trust center information for transparency regarding security practices, incident response procedures, and data protection measures.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations ensure that their developers are well-equipped with the necessary security knowledge and practices, which directly impacts the overall security posture of software products and data protection.

Risk Levels:

  • Critical: Findings that indicate severe vulnerabilities or significant gaps in security policies and procedures that could lead to critical incidents.
  • High: Findings that suggest high risks such as missing essential security features or practices that are crucial for secure development environments.
  • Medium: Findings that point to medium risks, where improvements can be made but the impact on security is less severe than with critical and high findings.
  • Low: Informal or non-critical issues that do not significantly affect the overall security posture but may indicate areas for improvement in documentation or training.
  • Info: General informational findings that provide insights into current practices without posing immediate risks.

Example Findings:

  • A company lacks a comprehensive “security policy” document, which could lead to inconsistencies and vulnerabilities in software development processes.
  • The organization has outdated information on public trust center pages regarding security practices, potentially compromising transparency and incident response procedures.

Secure Code Review Practices

Section titled “Secure Code Review Practices”

Purpose: The Secure Code Review Practices Scanner evaluates the coverage and security focus of code reviews within an organization to ensure that critical security aspects are adequately addressed, thereby reducing vulnerabilities in the software development lifecycle (SDLC).

What It Detects:

  • Identifies mentions of “security policy” to assess if there is a formalized approach to security.
  • Checks for “incident response” plans indicating preparedness for handling security breaches.
  • Looks for “data protection” measures ensuring sensitive data is safeguarded.
  • Verifies the presence of “access control” mechanisms to manage user permissions.
  • Detects references to SOC 2 compliance, indicating adherence to service organization controls.
  • Identifies ISO 27001 certifications, which denote information security management system standards.
  • Searches for mentions of “penetration test” activities to ensure regular security assessments.
  • Looks for “vulnerability scan” or “vulnerability assessment” practices to identify and mitigate risks.
  • Analyzes code review documentation for comprehensive coverage of security aspects.
  • Checks if specific security controls are mentioned in the review process.
  • Verifies that both functional and non-functional requirements are reviewed for security implications.
  • Evaluates whether security is a primary focus during code reviews.
  • Identifies if security best practices are explicitly referenced in the review guidelines.
  • Checks for mentions of common security vulnerabilities (e.g., SQL injection, XSS) in the review process.
  • Ensures that relevant security policies and standards are referenced in code review documentation.
  • Verifies that compliance with industry standards is documented within the review process.
  • Looks for references to security training programs for developers to ensure awareness.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it ensures that the security aspects of code reviews are not overlooked, thereby contributing significantly to the overall security posture of an organization by proactively identifying and addressing potential vulnerabilities.

Risk Levels:

  • Critical: The presence of critical findings could lead to severe security breaches if left unaddressed, potentially compromising sensitive data and system integrity.
  • High: High severity issues can significantly impact the functionality or security of systems, requiring immediate attention to prevent exploitation.
  • Medium: Medium severity issues may not directly compromise security but are indicative of potential risks that should be mitigated for better overall protection.
  • Low: Low severity findings might indicate areas for improvement in documentation and processes without imminent risk; however, they still contribute to the continuous enhancement of security practices.
  • Info: Informational findings provide insights into current security practices but generally do not pose an immediate threat.

Example Findings:

  1. The code review process lacks explicit mention of a security policy that outlines how sensitive data will be handled and protected.
  2. There are no references to penetration testing or vulnerability scanning in the documentation, indicating a potential gap in actively identifying and mitigating risks within the development environment.

Security Gates

Section titled “Security Gates”

Purpose: The Security Gates Scanner is designed to identify and assess key security elements such as policies, compliance certifications, and public disclosures within a company’s documentation. This tool aims to ensure that the organization adheres to best practices in information security by analyzing its website content for relevant indicators.

What It Detects:

  • Policy Indicators: The scanner identifies the presence of key security policies such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Maturity Indicators: It detects compliance certifications and maturity indicators like SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Security Documentation Availability: The scanner checks for the availability of security documentation on the company’s website.
  • Public Policy Pages: It analyzes public policy pages to ensure they cover essential security topics.
  • Trust Center Information: Evaluates trust center information for comprehensive security disclosures and certifications.

Inputs Required:

  • domain (string): The primary domain of the entity being analyzed, which includes its subdomains (e.g., acme.com).
  • company_name (string): The official name of the company or organization under review (e.g., “Acme Corporation”).

Business Impact: This scanner is crucial for any organization aiming to maintain a robust security posture, as it helps in identifying gaps and deficiencies in their security documentation and practices. It directly impacts the trustworthiness and reliability of the entity’s public disclosures and can influence regulatory compliance and customer confidence.

Risk Levels:

  • Critical: The scanner flags severe issues such as missing or inadequate critical security policies or certifications that are mandatory for specific industries but absent in the organization’s documentation.
  • High: Significant deficiencies in security practices, where important documents like a security policy or incident response plan are either non-existent or insufficiently detailed to meet industry standards.
  • Medium: Minor issues such as incomplete or outdated information within trust center pages that might indicate poor maintenance of public disclosures but do not significantly impact overall security posture.
  • Low: Informal findings related to minor discrepancies in wording or presentation, which do not affect the core security framework of the organization.
  • Info: Non-critical issues such as presence of placeholder content or grammatical errors in documentation that are more stylistic than substantive and do not pose immediate risks but could be indicative of broader operational inefficiencies.

Example Findings:

  1. A company lacks a comprehensive “security policy” document, which is critical for outlining security objectives and procedures. This finding would carry a high risk level as it directly affects the organization’s ability to manage cybersecurity effectively.
  2. The trust center page does not list any compliance certifications despite operating in a heavily regulated sector. This scenario could be considered critical since non-compliance with regulatory requirements can lead to severe legal consequences and operational disruptions.

This structured approach ensures that stakeholders are well-informed about the scanner’s capabilities, limitations, and potential impacts on organizational security strategies.

Security Testing Automation

Section titled “Security Testing Automation”

Purpose: The Security Testing Automation Scanner is designed to identify gaps in test coverage and the implementation of shift-left security practices by analyzing company documentation, public policy pages, trust center information, and compliance certifications. This tool ensures that organizations are proactively addressing security issues throughout their software development lifecycle (SDLC).

What It Detects:

  • Identifies the presence or absence of a formal security policy.
  • Checks for incident response procedures.
  • Verifies data protection measures.
  • Ensures access control policies are in place.
  • Confirms SOC 2 compliance certification.
  • Validates ISO/IEC 27001 standards adherence.
  • Detects penetration testing activities.
  • Identifies vulnerability scanning or assessment processes.
  • Evaluates the availability of company security documentation on their website.
  • Checks for public policy pages that outline security practices.
  • Reviews trust center information for transparency regarding security measures.
  • Verifies compliance certifications displayed publicly.
  • Ensures consistency between stated policies and actual implementation.
  • Identifies discrepancies between published guidelines and observed practices.
  • Detects gaps in documented security controls versus real-world application.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations proactively identify and address security issues in their SDLC, ensuring that they are meeting or exceeding industry standards for cybersecurity practices. By detecting gaps and inconsistencies in documentation and implementation, the tool aids in enhancing overall security posture and reducing potential risks associated with inadequate security measures.

Risk Levels:

  • Critical: The scanner identifies a complete absence of documented security policies or procedures critical to organizational security.
  • High: There are significant discrepancies between stated security policies and actual practices observed within the organization’s documentation and systems.
  • Medium: Minor gaps exist in the documented security controls, potentially leading to suboptimal protection against potential threats.
  • Low: The organization demonstrates a strong commitment to cybersecurity with well-documented and consistently implemented security measures that align closely with industry standards.
  • Info: The scanner detects informational findings such as outdated compliance certifications or incomplete trust center information, which while not critical, may still indicate areas for improvement in transparency and up-to-date documentation.

Example Findings:

  1. A company lacks a formal security policy documented on their website, indicating a significant gap in proactive security measures.
  2. Inconsistencies between the organization’s stated data protection policies and actual handling of sensitive customer information were observed, raising concerns about potential risks in data security practices.