Software Security Consulting

Software Security Consultation Services

Introduction To Brook S.E. Schoenfield

Brook has technically led five software security programmes at major tech companies. He has held 9 technical leadership positions in his almost 40-year technical career including more than 20 years in security.

In addition, he has worked with numerous clients to help them improve their software security practices. He is a contributing author to Core Software Security (CRC Press, 2014), as well as authoring two security architecture books: Securing Systems (CRC Press, 2015) and Secrets Of A Cyber Security Architect (Auerbach, 2019). Partnering with Dr. James Ransome, he is currently drafting a book focused on Agile and DevOps software security.

Please see Contributions To Security for details on some of the concepts and methods Brook has originated.

Brook continues to provide leadership to his clients and as well as to the industry on a wide variety of software security areas. He is actively engaged with several volunteer efforts to improve practices. His resume includes several industry publications.

Please see Brook’s CV at LinkedIn for further details on Brook’s skills and experience.

Large consultant practices typically “customize” boilerplate rather than developing contextually relevant solutions in close collaboration with each customer. When the goal is revenue generation, it is more efficient to drive customers to packaged formulas than to generate solutions based upon a customer’s needs. When you engage with Brook, you will not then be foisted off on entry-level analysts who are following a checklist to gather information and who then are charged with somehow grafting the consultancy’s boilerplate formulas to collected information.

Brook learns about your problems and then applies his considerable experience to craft solutions that will meet your problems with solution sets that are actionable and workable for your organization’s situation and context.

Software Security Consulting Services:

 

Software Security Practices Assessment

Brook can assess the current state of your software security practices or your Security Development Life cycle (SDL or S-SDLC). You may refer to these as, “application security”.

Your practices will be measured against a generic SDL that is based upon an 18 month study of published SDLs. A generic SDL was described in Chapter 9 or Core Software Security, CRC Press, 2014 (authored by Brook) However, that SDL has been updated to account for Continuous integration and delivery and DevOps development practices and cloud use. It is in line with standards from NIST and ISO, which have been factored into the generic SDL.

Each assessment will take into account:

  • The architecture types being produced
  • The organization’s software development practices (SDLC), both standards, if any, and as practiced, “on the ground” by development staff
  • Methods of software build, deployment, packaging, release, and operations
  • Secure design practices, security requirements discovery, architecture, planning, and structuring processes, if any
  • Secure coding and validation practices, if any
  • Steps taken for security verification, if any
  • Risk assessment and rating practices, if any
  • Product security incident response (PISRT), if any

Each assessment will include a description of the current state, including observed gaps between policy, standards, and practices, and gaps with industry standard practices.

Brook’s assessments are not “boilerplate”, or checkbox assessments. He takes the time to study each client’s particular business drivers and concerns, to map the organization’s risk tolerance and desired security posture, to identify areas of strength as well as gaps that do not meet the organization’s intended security practice and posture.

If desired, Brook can also make recommendations for improvements. Please see, “Software security practices strategy, implementation and improvement”, below.

 

Software Security Practices Strategy, Implementation And Improvement

Having designed and then technically led multiple software security practices and multiple organizations, Brook can offer his deep and broad experience to clients. He can help design a custom programme to meet an organization’s software security objectives.

In Secrets Of A Cyber Security Architect (Auerbach, 2019), Brook cataloged that set of problems that many programmes typically face. Brook has faced these, too. Brook won’t just call out problems, unless that is what the customer requires.

Brook will strategize with you bringing solution sets that he has used successfully in the past. Or together, we will figure out what will be workable for each particular situation.

For organizations who already have a software security strategy, Brook can help with how to implement the strategy, with prioritization: what should be accomplished immediately? What can be scheduled in the medium term? What are longer term objectives, and how can these be driven over a longer period?

Software security training

Having embarked on a software security programme, Brook can help you train your staff so that they can and will execute that programme to success.

Brook’s software security training can draw from a generic SDL, your software security assessment, your SDL, or from a range of published SDLs and public standards, as needed.

Brook builds curriculums that convey engineering principles and methods. But some aspects of software security also require experience and craft, often termed, “art”. Brook has taught 1000’s of practitioners through his experiential classes where exercises are crafted that allow attendees to practice what they are learning and receive organic feedback about what they have produced as a natural part of the class’ process and flow.

Software Security Leader

For organizations that have embarked on their software security journey but don’t (yet) have a software security technical leader, Brook can provide your organization with one-of-a-kind technical leadership.

Brook can be engaged such that your developers, your security practitioners, your security leadership can contact him for reviews of work, for strategy meetings, for that experienced thought leader input that is typically hard to hire and often quite expensive.

Perhaps your personnel just need to check their work? Brook has reviewed 1000’s of projects’ security as well as helped 100’s of security practitioners ensure that their work is sufficient.

It’s as simple as engaging Brook on an hourly or retainer basis and then setting up meetings to go over whatever issues and needs for which technical leadership of the calibre that Brook offers will be needed. Brook is nearly always available by phone and message for urgent consultations.

Security Architecture Assessment

Brook can assess the current state of your security architecture and secure design practices. You may refer to these as, “application security” design, “security architecture review”, “architecture risk assessment”, “security engineering” or another, similar term.

Your practices will be measured against a generic SDL set of secure design practices, with threat modeling as the foundational technique. The generic SDL is based upon an 18 month study of published SDLs conducted at Intel, when Brook held a Principal Engineer and Director of Security Architecture role there.

Each assessment will take into account:

  • The architecture types being produced
  • The organization’s software development practices (SDLC), both standards, if any, and as practiced, “on the ground” by development staff
  • Secure design practices, security requirements discovery, architecture, planning, and structuring processes, if any
  • Threat modelling methods and practices
  • Steps taken for security verification, if any
  • Risk assessment and rating practices, if any

Each assessment will include a description of the current state, including observed gaps between policy, standards, and practices, and gaps with industry standard practices.

Brook’s assessments are not “boilerplate”, or checkbox assessments. He takes the time to study each client’s particular business drivers and concerns, to map the organization’s risk tolerance and desired security posture, to identify areas of strength as well as gaps that do not meet the organization’s intended security practice and posture.

If desired, Brook can also make recommendations for improvements. Please see, “Software security practices strategy, implementation and improvement”, below.

 

Security Architecture Strategy, Implementation, And Improvement

Having designed and then technically led multiple software security practices, including security architecture, at multiple organizations, Brook can offer his deep and broad experience to clients. He can help design a custom programme to meet an organization’s security architecture and secure design objectives.

In Secrets Of A Cyber Security Architect (Auerbach, 2019), Brook cataloged that set of problems that many programmes typically face. Brook has faced these, too. Brook won’t just call out problems, unless that is what the customer requires.

Brook will strategize with you bringing solution sets that he has used successfully in the past. Or together, we will figure out what will be workable for each particular situation.

For organizations who already have a security architecture strategy, Brook can help with how to implement the strategy, with prioritization: what should be accomplished immediately? What can be scheduled in the medium term? What are longer term objectives, and how can these be driven over a longer period?

Security Architecture Leader

For organizations that have embarked on their security architecture, secure design, or threat modelling journey but don’t (yet) have a technical leader, Brook can provide your organization with one-of-a-kind technical leadership.

Brook can be engaged such that your developers, your architects, planners, product owners, your security practitioners and security architects, and your security leadership can contact him for reviews of work, for strategy meetings, for that experienced thought leader input that is typically hard to hire and often quite expensive.

Perhaps your personnel just need to check their work? Brook has reviewed 1000’s of projects’ security as well as helped 100’s of security practitioners ensure that their work is sufficient.

It’s as simple as engaging Brook on an hourly or retainer basis and then setting up meetings to go over whatever issues and needs for which technical leadership of the calibre that Brook offers will be needed. Brook is nearly always available by phone and message for urgent consultations.

 

Secure Design And Security Architecture Training

Brook has taught, coached, and mentored 100’s of security practitioners in the more than 20 years he has been practicing security (plus his nearly 40 years in high-tech).

Brook can help your designers and architects understand the practice of architecture and security’s place within a broader architecture practice.

Brook builds curriculums that convey engineering principles and methods. But some aspects of secure design also require considerable experience and craft, often termed, “art”. Brook has taught 1000’s of practitioners through his experiential classes where exercises are crafted that allow attendees to practice what they are learning and receive organic feedback about what they have produced as a natural part of the class’ process and flow.

Threat Modelling

Brook is happy to apply his years of experience building threat models to your software & digital systems. Brook has threat modeled 1000’s of systems and projects. His threat models are aimed to identify realistic attack scenarios, risk rate these, and, if needed, enumerate that set of security controls, defenses, and mitigations that will meet your organization’s security posture and risk tolerance.

Please see Brook Schoenfield’s Threat Modeling Method for further information on threat modeling.

Threat Modelling Training

Brook builds curriculums that convey engineering principles and methods. But some aspects of software security also require experience and craft, often termed, “art”. Brook has taught 1000’s of practitioners through his experiential classes where exercises are crafted that allow attendees to practice what they are learning and receive organic feedback about what they have produced as a natural part of the class’ process and flow.

Threat Modelling And Secure Design Strategy And Leadership

Threat modelling shouldn’t be implemented as a single, one-time activity. When done in this way, it often occurs too late to be effective, and may be seen by development teams as an imposition, or worse, as a critique of their hard work.

Rather, threat modelling is one of the foundational techniques underlying secure design practices from idea conception right through implementation. A comprehensive threat model’s output should be provable through security verification techniques. Threat modelling is a journey and a living process, a core part of system architecture and planning, not an add-on, adjunct.

Brook can provide senior leadership and review of your threat modelling and secure design programme and strategy.

Please see Security Architecture Strategy, Implementation, And Improvement, above for more detail.