Services
Integration of secure development best practices
at all stages of the development lifecycle
Cigital Consulting has its foundation in a technical methodology entitled Building Security In described in Building Secure Software and Software Security both written by our CTO Dr. Gary McGraw. Based on the concept of interjecting software security activities called Touchpoints at various points along the software development lifecycle (SDLC), our consultants identify security assurance gaps, introduce processes to improve the way software is built, and develop specific methods for reducing cost and risk.
We work closely with you to understand your business and technical objectives and then design and implement a software security strategy specific to your requirements.
Our consulting services include:
- Application Penetration Testing
Cigital performs penetration testing to corroborate static code analysis and determine run-time or environmental vulnerabilities. We review the application’s architecture to look for design flaws which might lead to vulnerabilities. The result is a scorecard with verifiable metrics and detailed findings which can focus and expedite remediation efforts.
- Secure Code Review and Static Analysis
Our clients use this service to quickly evaluate development team deliverables and confirm adherence to standards by external software vendors. Cigital will utilize industry-standard analysis tools and present an aggregate report of vulnerabilities. These “triage” engagements are also useful in determining which applications need further assessment. More detail
- Architectural Risk Analysis
Detecting architectural flaws requires a higher degree of software design experience and in-depth discovery. Cigital performs interviews, gathers and reviews documentation, scans code, and manually inspects code — whatever is needed to provide your company with a comprehensive view of an application’s security posture.
- BSIMM
The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from 42 leading software security initiatives. Learn more.
- Mobile Security
We have deep expertise in the practice of assessing and securing Mobile applications and environments. Our wide array of services include developer training, architecture risk analysis, static analysis of native mobile applications and mobile application penetration testing. Learn more.
- Information Security Policies
We work with you to design, implement and maintain a coherent set of policies to manage the risks to your information assets. This ensures acceptable levels of information security risk, and has a positive effect on business continuity. This activity lays the foundation for meeting compliance and regulatory requirements.
- Software Security Standards Development
Our experts are well positioned to provide the guidance necessary to create practical, usable and clear software development security policy. We partner with you to develop policy guidance that works with your existing corporate policies and considers the unique regulatory requirements of each situation.
- Application Vulnerability Remediation
Remediation is the process of methodically correcting software security flaws and deficiencies. We work with you to accelerate remediation by providing in-depth guidance on how to correct each security vulnerability.
- Secure Application Development
Cigital’s secure application development service provides you with our software design, coding quality assurance and security expertise that can be scaled to meet your needs. We use an approach to building software that ensures it is delivered on time and to budget, is fully functional and is secure.
- Security Metrics Development and Deployment
A primary goal of metrics collection is to identify specific areas in a system that should be targets for improvement. Cigital has experience in what metrics should be used to accurately measure the reduction of the number and severity of vulnerabilities.
- Network Penetration Testing
Our network penetration testing service identifies vulnerabilities exposed through your internet gateway to determine a comprehensive picture of the protected systems. Cigital’s penetration test team performs a thorough examination of internet-facing systems from the perspective of the hacker.
- Quality Assurance
Quality assurance must enable software to ship and deploy on time. Leaders strive to increase the speed of development teams, reduce critical-path test time, and increase coverage to provide real-time feedback to developers on code quality. A Cigital assurance partnership will accelerate delivery of high quality software.
Cigital offers both Instructor-Led Training (ILT) and eLearning in a number of disciplines designed for development, security, audit, compliance and management personnel. These disciplines provide technical training for every role in the secure software development lifecycle.
- Instructor-Led Training
Conducted onsite at your offices, Cigital delivers private classroom training utilizing certified expert practitioners. Blending activity based learning methodologies with real-world examples, Cigital’s ILT offering provides the foundation upon which your entire enterprise can improve its software security posture. Learn more.
- SecureTraining eLibrary
This is Cigital’s eLearning offering. The SecureTraining eLibrary is a web-based on-demand suite of classes designed to promote software security awareness at level of your organization. Learn more.
- SecureAssist (IDE based real-time training)
SecureAssist is a real-time training product that teaches your developers secure coding best practices while they are actually writing code. Running in the developers’ IDE, SecureAssist provides instant feedback and guidance on security vulnerabilities. Learn more.
Cigital’s Managed Services combine best practices, technology, tools and repeatable processes with a framework that drives efficiency and cost reduction while reducing risk.. We work closely with clients to understand business and technical objectives and then design and implement an effective structure for delivering low cost-high value automated and value added solutions.
As a global leader in software security, Cigital is consistently pushing the envelope on developing new ways to reduce software security risk for our clients. An essential part of our mission is encapsulating cutting edge software security services into repeatable, efficient, automated solutions for our customers. Cigital’s Licensed Solutions are the result of these efforts.
- SecureAssist (IDE based real-time training)
SecureAssist is a real-time training product that teaches your developers secure coding best practices while they are actually writing code. Running in the developers’ IDE, SecureAssist provides instant feedback and guidance on security vulnerabilities. Learn more.
- Enterprise Security Portal
Enterprise Security Portal (ESP) is a central workflow solution specifically designed to help organizations deploy and manage the enterprise-wide static analysis program. Learn more.
Building Security In Touchpoints
Regardless of the SDLC type employed by your organization Buidling Security In Touchpoints identify specific activities companies can execute to improve the security and quality of the applications they deploy.
- Requirements and Use Cases
- Abuse Cases
- Security Requirements
- Risk Analysis
- Architecture and Design
- Risk Analysis
- Test Plans
- Risk-Based Security Tests
- Code
- Code Review (Tools)
- Test Results
- Risk Analysis
- Penetration Testing
- Feedback
- Penetration Testing
- Security Operations

