Whether it is general information, business intellectual property, sensitive personal information, or personally identifiable information, context is the deciding factor. While the context of data can change over time and through the lifecycle of development, its protection is paramount. That protection is directly related to the software and components handling the data at distinct points in time.

​

There are expectations for the manner in which data is stored or transmitted, limits upon data retention, audit logging, sensitivity labels, access control, detailed disclosures to users, consent to be obtained, guidelines for data sharing and even internal use, and international and local legalities involving consumer rights. Failing to adhere to the appropriate regulations can result in fines large enough to cripple and destroy businesses.

​

We gather all of this information together, itemizing risks in relation to your data's context, to provide the ability to address cybersecurity in your software supply chain.

​

Code Quality Analysis

Analyze code as it is being created. Surface informational messages and warnings, allowing earlier remediation and the prioritization of addressing technical debt. (Hard-coded strings, credentials, and keys/secrets are considered code quality issues.)

*Provided in reports and machine-readable formats such as SARIF, for integration with other tools.

​

Software Composition Analysis (SCA)

Itemize and document each component in your software product: purchased, bespoke, and/or open source (OSS). Information includes the name, version and date of publication (in use), current version available and date of publication, and vulnerabilities in either, warnings or caveats related to the language or framework of the software package as a whole.

*Provided in reports and machine-readable formats and includes guidance on regulatory expectations for updates and patching.

​

Licensing Review

Document the licensing model and expected disclosures associated to components in use, including open source (OSS). Verify existence of comprehensive "About" page or "EULA" file as needed.

*Provided in reports and potential automated modification/creation of required documents.

​

CVE (Common Vulnerabilities and Exposures) Analysis

Review and gather relevant CVE records through integration via SCAP (Security Content Automation Protocol) with NVD (National Vulnerability Database) and the CVE® Program.

*Provided in reports and machine-readable formats. As the current format of CVE lists will no longer be supported as of Summer 2022, the extended information contained in the CVD JSON 5.0 format will be included as it comes available.

NOTE: eruditeMETA will be participating in NIST NVD release of CVMAP (Collaborative Vulnerability Metadata Acceptance Process) Program as it relates to this feature and in accordance with Executive Order 14028: Improving the Nation's Cybersecurity, Sec. 2: Removing Barriers to Sharing Threat Information.

​

Static Application Security Testing (SAST)

Review code files, surfacing informational messages and warnings in relation to application security issues in the development practices, assisting in surfacing upcoming issues and remediation to appropriately prioritize technical debt. Included in detailed reports as well as machine-readable formats such as SARIF, for integration with other tools.

​

Application Security Verification

Testing of basic application technical security controls for secure development, in accordance with the OWASP (Open Web Application Security Project®) ASVS (Application Security Verification Standard). Provides a metric with which to assess the degree of trust in an application and guidance for building security controls to satisfy application security requirements.

​

Software Bill of Materials (SBOM)

Generation of Software Bill of Materials (SBOM) as required by Executive Order 14028: Improving the Nation's Cybersecurity, Sec. 4: Enhancing Software Supply Chain Security. Included in reports and machine-readable formats specified by CISA's SBOM requirements.

​

Code Coverage (Software Verification Standards) Metrics

Assessment of percentage of code coverage by automated testing as described in NIST.IR.8307: Guidelines on Minimum Standards for Developer Verification of Software, created through mandates in Executive Order 14028: Improving the Nation's Cybersecurity.

​

FUTURE: Integration with AD to verify/validate code reviews, comments, approver validation in relation to job titles and separation of duties, and individual contributors.

NOTE: For the aspects of the SSDLC which are not yet available in an automated fashion, these will be prompts or opportunities for integration with other tools or imported flat files.