publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/192213
FIVE STEPS TO BUILT-IN XXXX SOFTWARE SECURITY month of a projected six-month project. The static code can be analyzed via in-house tools; however, it is easier to contract this out since third-party vendors can develop analysis tools for various frameworks and platforms quickly and more efficiently. Various security vendors provide SaaSbased analysis tools wherein the code is uploaded to the vendor's portal for security scanning. Analysis of the static code must be set up within a framework that maps back to the risk classification for the project. This scanning risk framework defines what applications are to be scanned and the bare minimum scanning interval. Below is a high-level risk framework that can be used: Another advantage of the vendor-provided portal is new information that spans across product lines within the company is available to the in-house STATIC ANALYSIS PENETRATION TEST security team. The security team managing the • All applications every sixth months • Mobile applications • New platform portal can learn about trends and data across the company. The security team can learn, for example, requires that the QA team also undergo security training so the team can create adequate testing that the most common security flaws are injectionrelated, which means stronger emphasis needs to be put on input validation. Accordingly, in-house training programs can be tweaked to put stronger emphasis on injection flaws. plans. The QA team can create their own security tests that might be as simple as verifying security fixes in certain parts of the code that consistently fail during static scans. Security testing by the QA team is not expected to replace the security scan results; it should complement it. The penetration test typically is done late in the development cycle. The penetration test should be the icing on the cake and a non-event, rather than being the only thing the security framework depends on. Timing of the penetration test is rather subjective. Doing it too early will result in incomplete coverage since parts of the system might not be ready and additional code will be added postpenetration test. Waiting too long to do the test is also a problem because that leaves very little time to fix any issues that arise. The QA team also needs to ensure the production data used in testing is handled adequately and that risks associated with the testing of production data is understood and visible to management. All too often the security of the production data being tested is overlooked since the data is not in a production environment. This can result in data leakage to the customer or the public. The team should ensure QA systems are secure and externalfacing servers are patched sufficiently. Security Testing Through Quality Assurance: Security testing through quality assurance (QA) In addition, a defense-in-depth strategy must be used to secure QA systems. This can include