Booz Allen provides the following services that can be integrated into the Microsoft SDL:
Training
Assist your staff in understanding the root cause, attack methods, impact, and mitigation of software threats
Familiarize staff with secure coding techniques and best practices
Provide guidance on how to integrate security frameworks like the OWASP ESAPI into your project
Lifecycle Governance and Organizational Software Assurance Infrastructure
Provide guidance and mentoring support to gain and implement leadership oversight and support
Provide guidance and mentoring support to create and sustain Organizational process development, improvement and implementation support
Assist with development and implementation of a standard organizational toolkit and rapid deployment support
Provide guidance and implementation of an organizational infrastructure for standard requirements, attack patterns, threats, etc
Propose and guide implementation of mechanisms to gain feedback and lessons learned on the implementation of the organizational processes
Requirements
Develop non-functional and security requirements that are actionable, testable, and traceable throughout the SDLC.
Extend use-case diagrams with abuse and misuse cases to represent the actions that software should either perform or prevent in support for security and privacy requirements.
Propose an assurance level based on cost/benefit analysis. An assurance level provides a level of protection based on the budget, program goals, and acceptable risk of an organization
Define security and privacy requirements based on required laws and desired assurance level
Design
Perform architectural risk assessment and threat analysis to analyze attack surface
Define appropriate security architecture based on requirements and risk assessment
Implementation
Recommend software assurance tools based on cost/benefit analysis
Perform static analysis of code to identify and mitigate vulnerabilities
Identify and eliminate the use of unsafe/banned functions in Java, C/C++, and C#
Integrate software security to complement system and network security to provide defense in-depth
Verification
Perform dynamic code review utilizing automated and manual techniques that leverage repeatable processes to identify security flaws, as well as verify successful the implementation of security requirements
Execute application-focused security and penetration testing to identify security flaws
Provide guidance on how to remediate flaws discovered during verification
Release
Develop Incident Response Plan and Procedures based on Federal guidance
System Accreditation
Assist in obtaining and maintaining accreditation for your Federal system
Perform security test and evaluation (ST&E) in support of system certification
Response
Perform emergency application penetration testing and code review to recommend mitigations after a breach
Develop course of action to get software assurance back on track
