SafeSCARF product overview

What is SafeSCARF?

DT Cloud Services SafeSCARF is a Cloud Vulnerability Management platform. The DefectDojo-based interface can be used for collecting results of security scans, unifying them, providing result analysis, summary reports generation and customization, and support tools that help engineers to fix vulnerabilities by showing recommendations.

DT Cloud Services SafeSCARF is an all-in-one solution that covers:

  • Basic user, product and product type management, IDP (login form), and role assignment interface integrated with DT Cloud Services Cloud Portal together with security features (2FA, strong passphrase enforcement)

  • Web-page based SafeSCARF Vulnerability Management Platform (SVMP) - represented by DefectDojo product at the moment

  • Set of preconfigured CI job definitions (snippets) for scanning from the pipeline for defined CI tools (at the moment GitLab is supported)

  • Set of Docker images with scanning tools usable in CI jobs (kept updated and secure).

SafeSCARF name explanation

Why do we need and what actually is SVMP?

Because, when we produce any IT product, application or service we should guarantee some level of security. The best way how to ensure this is by providing Security by design. It is easy to tell, but when it comes to realization especially in a very dynamic cloud environment, then obviously security specialists realize that traditional (legacy) solution fails (for many different reasons). In the reality. this approach means - Shift security LEFT.

Shift Security LEFT

The main characteristics of this approach are:

  • Minimalization of security incidents impact thanks to early discovery of vulnerabilities -> less costs for fixes etc.

  • Holistic security that doesn’t blindly rely on an annual vulnerability scanning or penetration testing

To achieve above mentioned, we decide to provide let’s say cloud-based SVMP tool, which will automate application security vulnerability management. The main features of this solution are:

  • make the process of application security testing more effective by offering the following features:

    • importing 3rd party security findings,

    • merging and deduplicating them

    • templating

    • report generation and customization

    • security metrics

What does SVMP do?

Bug tracking is the core functionality of the SVMP. However, the ultimate end goal for SVMP is to provide traceability and metrics. The main advantages of SVMP are:

  • engagement model definition

  • traceability among multiple projects and test cycles

  • fine-grained and customizable reporting capability

  • combining all the above mention is leading to keep the users SLAs under control, and much more.