Harmonia emphasizes practices that ‘build security in’ when constructing software and systems, rather than relying solely on post-development code scanning/incident monitoring to catch exploitations. Our services include:
- CMMI Level 3 processes for software development using developers trained to apply secure coding techniques and requiring peer inspection of code for software assurance.
- Incorporating multi-dimensional code analysis for vulnerabilities and weaknesses as part of our Continuous Integration/Continuous Deployment pipelines.
- Applying Continuous Monitoring to protect operational systems, and to surveil systems for security breaches and provide full incident response and forensic investigation. A related service area is implementation of Identity, Credential And Access Management (ICAM) including two-factor authentication and single-sign on across mobile and web-based applications.
Since 2008 Harmonia has provided key services in software assurance and application vetting to the U.S. Navy, Air Force, DISA, and other agencies. Many organizations today perform a pre-deployment code scan with one tool. Harmonia has expertise in using leading tools (e.g., through our partnership with Hewlett Packard for Fortify). However, any single tool will be good at finding certain code weaknesses, and will generate many false positives (incorrect findings of suspected code weaknesses) that take human review time to dismiss. Plus, static code scans are only one class of defense against malicious code, and don’t analyze dynamic execution of code.
To overcome those problems, Harmonia provides services to tailor an application vetting process for our customers that collects evidence from a dozen or more different tools. We are tool-agnostic and work with our customers to find the best static code analysis tools, dynamic analysis tools, and network analysis tools to uncover weaknesses in web/mobile/desktop applications, services, databases, etc. Our services include threat modeling, setting up automated pipelines to run a dozen or more analysis tools, and automating the aggregation of tool reports and cross-correlation of tool output. These practices reduce false positives and cut the time for customers to adjudicate and fix true code weaknesses.