Secure the core

K2 Digital Defense LLC offers a wide variety of services in the information security space. While our specialties are listed below, we often work in other areas as well--we can't secure the core if the perimeter is poorly defined. Our analysis generally starts with the information you want to secure, and then we work outward examining security and controls at each level of your infrastructure.

We pride ourselves on a practical, results-oriented approach to threats and risks. We avoid sowing fear, uncertainty, and doubt, and instead focus on building a security solution that will enable your enterprise to quickly and flexibly meet its business goals.

The K2DD Library contains more information on our methodologies and standards. Details of our BuildSecure initiative are also described--including analyses of threats and vulnerabilities, application security techniques, and pointers to a wealth of security reference material on the web.

Application security assessments

Applications, whether developed in-house or purchased from a third-party, often contain vulnerabilities that bypass traditional network security measures. Working with project teams to find and remove such vulnerabilities is a K2 Digital Defense core strength, and we have years of experience implementing secure development practices and evaluating the security of third-party applications.

In both cases, beginning the security efforts early in the requirements specification process is extremely beneficial, but an application security assessment can start at any time. Depending on your organization’s needs and the current status of the project, an assessment can include requirements and design reviews, threat models, secure coding practices, code reviews, control testing, and penetration testing.

In many cases, the capstone of an application security assessment is a white paper describing the security virtues of your organization's software. Whether the audience is end customers, partners, or regulators, an application's security posture is quickly becoming a market differentiator and a key item in obtaining a CISO's or auditor's approval. We can write or help you write white papers, presentations, or other material to document your organization's approach to application security.

BuildSecure training

We provide training on our BuildSecure initiative. We cover requirements and design analysis, threat modeling, attack surface hardening, secure coding, testing, common vulnerabilities, and application defense. Application security is a rapidly evolving field and it seems new attack methodologies are released weekly. In order to help development teams stay on top of the threat landscape, we can tailor ongoing training programs to address the specific needs of your organization's software.

Database Encryption

Encrypting information in the database is rapidly becoming an industry best practice and is required or strongly encouraged by a host of privacy legislation and other regulations (such as the PCI requirements governing credit cards). K2DD's founder, Kevin Kenan, published Cryptography in the Database in 2005, and is an expert on designing and deploying solutions for database encryption.

When your organization begins considering database encryption, we can help you evaluate your needs and design solutions with off-the-shelf or custom components. Our analysis includes an in-depth review of your environment to understand how encryption will impact your data flow and how key management will best fit with your current infrastructure and security practices.

We also provide subject matter expertise to help facilitate discussions with encryption vendors. We can help you pierce the veil of key sizes, algorithms, and HSMs, so that your organization ends up with a cryptosystem that meets your needs and protects your assets from the threats relevant to your enterprise's environment.

Database security assessments

In most organizations, databases contain some of the most valuable information, but are afforded the least amount of security attention. A database security assessment helps you understand your exposure from database vulnerabilities. Whether from bugs in the database itself, administrator misconfiguration, or simple oversight (default passwords), we can help you secure your database.

Policy and procedure review

Policies and procedures form the foundation of your information security program. They specify your enterprise's high level security goals and the shape your overall information security program. Our review compares your policies to industry standards such as ISO/IEC 17799 and delivers recommendations to address gaps based on your enterprise’s needs.

In addition we can provide templates and help with formatting and phrasing to ensure that your policies are clear and concise. A successful policy implementation depends on an effective communication strategy. We can help design and build your awareness program so that your message reaches and is understood by your audience--whether they are employees, partners, or customers.

If your enterprise operates under regulatory requirements such as those imposed by PCI, privacy legislation, SOx, or others, we can work with your legal counsel to ensure that your security policies are consistent with the regulations.

Information risk assessment

During an information risk assessment, we review business processes and practices for security risks. The resulting report follows the flow of sensitive information through your organization, tracking where it is handled, stored, processed, and destroyed, and identifies strengths and gaps in the surrounding controls.

If your enterprise needs to formalize its security program or is ready to expand an in-place program, then an information risk assessment is an excellent way to map your course. Organizations facing compliance mandates, including regulatory requirements (SOX, HIPAA, GLBA) as well as industry standards (COBIT, ISO), find that a comprehensive information risk assessment provides a solid foundation for achieving compliance.