PRZOOM - /newswire/ -
Phoenix, AZ, United States, 2008/07/01 - Symosis announced today that one of their customers using their Symosis Software Security CBT modules achieved compliance in Requirement 6 of the PCI DSS using the management interface to provide evidence of SDLC security integration.
Symosis announced today that one of their customers using their Symosis Software Security CBT modules achieved compliance in Requirement 6 of the PCI DSS. Evidence of compliance that focuses on integration of application security into the company SDLC was demonstrated through the management interface that comes with each module and provides management with audit trails of completion, time spent, individual performance, and corresponding increased comprehension. By cross referencing company application developers and testers who completed the modules, management was able to provide evidence on how they are working to better secure their applications, and support the overall goal of integration of application security into their company SDLC.
Symosis’s general public release in June of their Software Security CBT modules focuses on educating employees who develop and test applications. The CBT modules train students on all the specific areas of application security requirements in the PCI DSS and focus on building secure coding techniques, QA test cases, and standards that can be integrated into the SDLC. Each module teaches detailed threats and countermeasures that cover all of the major standards such as the Open Web Application Security Project (OWASP) guidelines.
The PCI DSS specifically states that companies who develop in-house applications can avoid numerous vulnerabilities by using standard system development processes and secure coding techniques. As application security has risen to the forefront of web based business, implementing process controls that help better secure web applications are at the top of the list for many companies. Auditing processes can be difficult, and companies can state they are building secure applications and using secure coding techniques using prevalent standards, but the claim at times can fail to provide tangible objective proof to an independent auditor. Symosis leaves little doubt as to whom in the company has been educated about today’s application security risks.
“Rather than attempt to enhance security reactively after functionality is developed or tested in an ad hoc fashion, Symosis security training focuses on providing education to a company’s first line of defense in the development environment so that security becomes a proactive control. Developers and QA resources who complete our training understand how applications are targeted by attackers and look beyond programming for expected use, and understand more complex threats of unexpected use, teaching students the true spectrum of what constitutes a threat to an application. Our education platform starts a process that creates a chain reaction of application security improvement in the security of the code, and even more importantly, to the logic and data flows of an application. Automated tools, code reviews, and a web application firewall are secondary mechanisms for post implementation assessment and are not as effective at protecting against application vulnerabilities unless the education component has happened.” said Clinton Mugge, Symosis CEO. “That concept alone provides a strong message to our customers and when you couple that to our training reports our education courses provide an objective element to an auditor.”
Symosis (symosis.com) released three modules earlier this month that educate companies on implementing better software security by teaching students about the security threats and countermeasures. Information security vulnerabilities are typically introduced during the design and coding phase of the software development lifecycle (SDLC), but their discovery usually emerges after an application has been implemented. The Symosis CBT Software Security modules are focused on educating those who are upstream from the traditional security roles and provide critical knowledge to students in a professionally produced on-line computer based training platform. The modules include numerous test cases, video demonstrations, learning games, quizzes, and along with a final exam, is targeted at where the problem is usually first introduced.
Symosis is an information security company focused on professional services and training.