Capgemini UK plc

Secure Code Development SaaS Training

Cloud-based platform that can provide fun gamified learning for developers to write secure code. Capgemini’s online service can offer interactive training, assessments, real-time code coaching and tournaments to help drive culture change, engage and train developers to improve their secure coding skills, gain real-time advice and monitor skill development.

Features

  • Cloud-based, integrated assessment and training solution
  • Gamified training methodology can make learning fun, competitive and engaging
  • Can provide on-demand learning in an everywhere –available format
  • Can provide free learning resources library for specific vulnerabilities
  • Can measure progress: challenges completed, time spent, strengths/ weaknesses, accuracy
  • Can cover over 50 vulnerability types including OWASP Top 10
  • Can provide portal training material for integration with LMS
  • Real-time coaching plugin can act like spellchecker for real-time learning
  • Can provide customisable online assessments
  • Can set up tournaments to help maximise engagement and adoption

Benefits

  • Can help achieve faster and more secure software development
  • Can help reduce cost of security by improving code quality
  • Can empower developers to become first-line defence preventing code vulnerabilities
  • Can train, educate developers to have a security mindset
  • Can help build developer skills, get real-time advice, monitor development
  • Can help increase developer awareness of security threats and vulnerabilities
  • Can help create a positive security culture within an organisation
  • Can increase training completion rates
  • Can reduce code-based security risk
  • Can help improve overall security posture of organisation

Pricing

£50000 per user per year

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

3 3 1 1 8 0 8 7 1 2 9 6 2 7 0

Contact

Capgemini UK plc

Giovanna Borgia

+44(0)370 904 4858

publicsector.opps.uk@capgemini.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Security Education and Awareness
Cloud deployment model Public cloud
Service constraints Developers will need access to the internet to use the service. The IDE plugin is only available for certain languages in certain IDEs at the moment.
System requirements Please contact Capgemini directly for information on system requirements.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We aim to acknowledge receipt of questions within one Working Day. Resolution times will be according to the service level agreement for the service.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels Individual service levels are described in the Service Definition. Should you have requirements for other service levels, please contact Capgemini directly to discuss.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Capgemini can work with the Buyer at the beginning of the engagement to agree the strategy including the users, the training needs and implementation plan.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Arrangements for Buyer data to be extracted can be agreed at the start of each contract, and the execution of such arrangements can be completed as part of the contract close down procedures.
End-of-contract process At the end of the contract, Capgemini can review with the Buyer:
That contractual obligations have been met;
That invoices have been raised and paid;
That no outstanding, documented issues remain (unless agreed otherwise);
That access rights have been terminated and user Ids deleted;
That data had been backed up and recovered as appropriate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices No
Service interface Yes
Description of service interface Please contact Capgemini to discuss this feature.
Accessibility standards None or don’t know
Description of accessibility The service is accessible via a browser on a laptop or desktop.
Accessibility testing Capgemini is working towards WCAG 2.0. Currently, Capgemini is partially compliant with AA.
API Yes
What users can and can't do using the API Reporting data on usage and completion of training modules via API.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Buyer can customise training, assessments and training for their developers. Capgemini can work with the Buyer to agree the requirements and implement the customisations.

Scaling

Scaling
Independence of resources Our service is based on Secure Code Warrior’s SaaS platform that is hosted on scalable infrastructure which can adjust to varying demand profiles from users.

Analytics

Analytics
Service usage metrics Yes
Metrics types Metrics on individual users and aggregated Buyer’s organisational training, assessment and tournament performance can be produced as agreed between Capgemini and Buyers.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Secure Code Warrior

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Metrics and statistics on user’s performance can be exported in CSV format. Capgemini can agree reporting requirements with the Buyer and produce reports on a periodic basis.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Please contact Capgemini directly to discuss availability requirements.
Approach to resilience Please contact Capgemini directly to discuss resilience approach.
Outage reporting Please contact Capgemini directly to discuss availability reporting.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Capgemini provides role based identity and authentication to restrict access
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Less than 1 month
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Our employees are instructed and obliged to comply with Capgemini's security policy and standards, which aim to safeguard the confidentiality, integrity and availability of physical assets
and electronic information as well as information hosted on behalf of our Buyers, to enable contractual obligations to be met and enable Capgemini UK to be compliant with relevant laws and regulations.
Information security policies and processes Capgemini follows its own information security policy, which is referenced against ISO27001:2013 - Information Technology - Security Techniques - Information Security Management Systems - Requirements, ISO 27002:2013 - Information Technology - Security Techniques - Code of Practice for Information Security Controls, and the Information Security Forum - Standard of Good Practice (2014).

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Capgemini 's configuration and change management processes are set out in its ‘Unified Project Method’ (UPM), but can be adapted to comply with specific requirements by agreement with individual Buyers (tailored services may attract additional charges).
Vulnerability management type Undisclosed
Vulnerability management approach The Capgemini provided platform is assessed by external pen testers every 9 months. Capgemini can also use Fortify static analysis solution on a continuous basis.
Protective monitoring type Undisclosed
Protective monitoring approach Please contact Capgemini directly for details of our Protective Monitoring approach.
Incident management type Undisclosed
Incident management approach Capgemini's incident management processes are set out in its ‘Unified Service Method’ (USM), but can be adapted to comply with specific requirements by agreement with individual Buyers (tailored services may attract additional charges).

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £50000 per user per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Full access to the platform for maximum 2 weeks.

Service documents

Return to top ↑