Safety And Security: How We Secure Our Products
The changing landscape of software security
As the number of information security issues and data breaches have skyrocketed in recent years, customers have increasingly turned to ActiveNav to help them manage the risks that lurk in their unstructured data. Not unsurprisingly, they are also keen to understand that our software is secure and will not increase their risk of being exposed to a cybersecurity incident.
Our software development processes have always paid close attention to the security of our products and the quality of the code we produce. In recent years, we have seen significant growth in the maturity of questions that customers raise during the sales process to assure themselves of our security posture. As a result, we have increased the formality of our development processes as part of recently attaining our ISO 27001 certification.
For our development teams, our overall approach to the Software Development Lifecycle is documented in our Product Delivery Model (PDM). The PDM requires us to define a Product Security Model for each of our product offerings, utilising a threat modelling approach to analyse interactions between product components and to identify areas of risk to be considered during development and testing. As part of the close attention we pay to security, we have also introduced mandatory secure development training for all our development team members and have incorporated automated security testing into all our build processes.
For security testing, we have integrated security testing services from Veracode into the build process for all our products. This week, our on-premises product has been listed in the Veracode Verified directory to recognise the use of Veracode’s products as part of our software quality assurance, and our new cloud product will soon be added to the directory as well. You can read more in this press release.
Static and Dynamic Testing
Veracode’s Static Analysis Security Testing (SAST) service analyses all data paths through the source code of our products to check for a range of issues that may introduce vulnerabilities into our products. These include factors such as input validation, output encoding, information leakage into logs, hardcoded passwords, etc.
In contrast, the Dynamic Application Security Testing (DAST) service is used to analyse deployed web applications and can detect issues with application configuration and apply common attack patterns to identify the type of vulnerability that is typically the first step in an exploit.
Software Composition Analysis
Modern software products are constructed using a huge variety of third-party components that speed up our development cycles and increase the reliability and security of our applications. However, the introduction of third-party components into our products does represent a potential route for vulnerabilities to be introduced inadvertently. The Software Composition Analysis (SCA) service provided by Veracode generates an inventory of the third-party components in use and by reference to vulnerability databases can highlight if any component contains vulnerabilities, regardless of when they are discovered.
Secure Development is Key
In security testing, the effect of this type of approach is often referred to as facilitating a “shift left” in the detection of potential issues. Because the SAST, DAST and SCA analysis is performed throughout the development cycle, potential issues are detected early and are easier for us to address, with less impact on our schedules.
In much the same way that our products allow our customers insights into their unstructured data, that are often impossible for their staff to attain without our software, the analysis performed by Veracode provides us with a continually updated view of prioritised risks in our applications to allow our developers to triage issues and to adapt our own code or our use of third-party components as appropriate.
Our whole product delivery process, and security aspects, in particular, are continually reviewed and refined to ensure that customers can trust us to deliver insight into their unstructured data without introducing additional risks.
We are always happy to talk to current and potential customers through the approaches we use to help give them confidence in the security of our products. Please feel free to contact me if you have any questions.