We have thoughtfully designed features to support a secure software development process. When an SSDLC is embraced, developers are enabled to move faster while remaining compliant, with the appropriate gates and controls in place.

 

No matter your framework or methodology, we know the rigorous best practices to secure your development. With digital transformation and the drive to deliver faster, you can leave the overwhelming aspects of the steps, their order, and growing regulatory complexity to us. Even if your process is not quite there, our product meets you where you are. We elevate minor issues before they become a major hindrance.

​

Code Quality Analysis

Analyze code as it is being created. Surface informational messages and warnings, allowing earlier remediation and the prioritization of addressing technical debt. (Hard-coded strings, credentials, and keys/secrets are considered code quality issues.)

*Provided in reports and machine-readable formats such as SARIF, for integration with other tools.

​

Software Composition Analysis (SCA)

Itemize and document each component in your software product: purchased, bespoke, and/or open source (OSS). Information includes the name, version and date of publication (in use), current version available and date of publication, and vulnerabilities in either, warnings or caveats related to the language or framework of the software package as a whole.

*Provided in reports and machine-readable formats and includes guidance on regulatory expectations for updates and patching.

​

Licensing Review

Document the licensing model and expected disclosures associated to components in use, including open source (OSS). Verify existence of comprehensive "About" page or "EULA" file as needed.

*Provided in reports and potential automated modification/creation of required documents.

​

CVE (Common Vulnerabilities and Exposures) Analysis

Review and gather relevant CVE records through integration via SCAP (Security Content Automation Protocol) with NVD (National Vulnerability Database) and the CVE® Program.

*Provided in reports and machine-readable formats. As the current format of CVE lists will no longer be supported as of Summer 2022, the extended information contained in the CVD JSON 5.0 format will be included as it comes available.

NOTE: eruditeMETA will be participating in NIST NVD release of CVMAP (Collaborative Vulnerability Metadata Acceptance Process) Program as it relates to this feature and in accordance with Executive Order 14028: Improving the Nation's Cybersecurity, Sec. 2: Removing Barriers to Sharing Threat Information.

​

Static Application Security Testing (SAST)

Review code files, surfacing informational messages and warnings in relation to application security issues in the development practices, assisting in raising upcoming issues and remediation to appropriately prioritize technical debt. Included in detailed reports as well as machine-readable formats such as SARIF, for integration with other tools.

​

Application Security Verification

Testing of basic application technical security controls for secure development, in accordance with the OWASP (Open Web Application Security Project®) ASVS (Application Security Verification Standard). Provides a metric with which to assess the degree of trust in an application and guidance for building security controls to satisfy application security requirements.

​

Software Bill of Materials (SBOM)

Generation of Software Bill of Materials (SBOM) as required by Executive Order 14028: Improving the Nation's Cybersecurity, Sec. 4: Enhancing Software Supply Chain Security. Included in reports and machine-readable formats specified by CISA's SBOM requirements.

​

Code Coverage (Software Verification Standards) Metrics

Assessment of percentage of code coverage by automated testing as described in NIST.IR.8307: Guidelines on Minimum Standards for Developer Verification of Software, created through mandates in Executive Order 14028: Improving the Nation's Cybersecurity.

​

FUTURE: Integration with AD to verify/validate code reviews, comments, approver validation in relation to job titles and separation of duties, and individual contributors.

NOTE: For the aspects of the SSDLC which are not yet available in an automated fashion, these will be prompts or opportunities for integration with other tools or imported flat files.