Northport, NY — November 26, 2016 — Secure Decisions, a division of Applied Visions, Inc. and an industry leader in cybersecurity situation awareness, has been selected by the Department of Homeland Security to lead the development of a new cyber threat management system for application software. The Application Security Threat Attack Modeling (ASTAM) program will produce an integrated, open source system that will increase the accessibility of web application security.
Today, organizations typically rely on fragmented, time-consuming, and reactive approaches to cybersecurity. Vulnerabilities remain unresolved for months — or years — as teams struggle to keep pace with IT growth, compliance reporting requirements, and security incidents. While there have been important improvements to host- and network-based security, applications have not received sufficient attention. This has led web application software to become the leading avenue through which computer system breaches occur, according to Verizon’s Data Breach Investigations Report for 2016.
The ASTAM solution will help organizations manage application security in a cost-effective, risk-centric manner. It is being developed for organizations that run web application software and possess high-value information or operate high-value computer systems. Such organizations are routinely the target of adversaries seeking to steal, destroy, ransom, or otherwise interfere with their operations. By improving the quality and security of the software these organizations develop and run, we can reduce the opportunities for expensive and disruptive computer system breaches.
ASTAM will provide a scalable solution for web application security that offers value throughout the software development lifecycle. Through a unified threat management user interface, the solution aims to provide correlation of static and dynamic analysis scan results, a guided approach to threat modeling, prescriptive threat mitigation advice for developers, automated penetration testing and attack simulation, automated countermeasure development, and continuous monitoring and assessment.
Secure Decisions draws upon its considerable experience conducting and managing application security R&D to lead the ASTAM project. It has enlisted the services of several subcontractors — all technical and thought leaders in their domains — to provide special expertise and development services to the ASTAM program. Denim Group will contribute hybrid analysis mapping (HAM) capabilities, VerSprite will develop application threat modeling (ATM) tools, Aspect Security and Siege Technologies will build out automated attack simulation and countermeasure (ASCM) development capabilities, and Deloitte will identify transition partners and lead pilot testing of the ASTAM solution. Secure Decisions will employ its team of software engineers, cybersecurity and threat management experts, UI/UX experts, and quality assurance and testing staff to develop continuous monitoring and assessment (CMA) capabilities, and integrate all the developed technologies into a unified threat management system.
The base period of the program commenced in September 2016 and will reach its first major milestone in March 2017. It is expected to be followed by two one-year optional development phases and a one-year optional pilot phase. The results of the ASTAM program will be released as open source software for use and modification by the application security community.
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C.
About Secure Decisions:
Secure Decisions was created as a division of Applied Visions, Inc. to conduct R&D and develop innovative technologies in cybersecurity, including network defense, infrastructure protection, application security, intelligence analysis, and data visualization. Secure Decisions develops tools for decision-makers to analyze large amounts of complex data, and to provide cutting-edge security measures to protect their proprietary information. In 2015, the application security R&D conducted by Secure Decisions led to the development of a new application vulnerability correlation and management system, which is now commercially available through a spin-out company called Code Dx, Inc.