Assure trusted Mambu deliverables through internal activities
- Collaborate to secure software design and implementation practices definition
- Define threat models, perform risk analysis and mitigation workshops with stakeholders of new capabilities or product changes that may impact security (pre-implementation)
- Support teams that develop new capabilities in assessing their security maturity (security readiness check) through workshops
- Implement tooling to detect security vulnerabilities (during implementation) and integrate them seamlessly in the SDLC together with the Release team & enhance and manage them continuously
- Implement, enhance and manage remediation processes for various scanning types (OSA, SAST, IAST, production identified vulnerability issues - during & post implementation)
- Clarify and prioritize the security scope captured in contractual agreements or regulatory obligations to rapidly be market relevant and trusted, not perfect.
- Document application security controls and explain them in internal and external security audits
- Review changes inside the product organization (e.g. structure, processes) with an impact to software security
Assure trusted Mambu deliverables through engagement with external experts
- Advice on external penetration test to ensure pentesters have a running system, know what to focus their test on and support them during the test
- Understand and triage reported vulnerabilities from different sources to respective teams
- Advice on vulnerability rating for reported vulnerabilities from different sources to respective teams
- Support teams by consulting on ways to fix vulnerabilities incl. their root cause
Engineers trained on security matters
- Design and deliver training for security engineering awareness & adoption
- Design, maintain and deliver security practices to assure engineers can assess and fix vulnerabilities independently, understand attack vectors and possible vulnerabilities, can detect, mitigate, permanently correct and prevent security issues on all stages of the SLDC.
- Design and deliver training for security tooling
- Evangelize security practices
- Coordinate table-top exercises for security incidents
- Pair analysis for vulnerability confirmation & mitigation paths
- Pair programming for security aspects of new features, vulnerability mitigation or permanent fix
- Enable teams’ autonomy on security assurance in alignment with product security team’s agreements & practices
- Implement, enhance, manage metrics and dashboards demonstrating security posture and event activity.