Is a security audit part of your software development plan?
A security audit can help you gain a better understanding of the threats to your system by evaluating what is being protected, why it’s valuable, who might want it, and how someone might try to harm your organization.
A thorough security audit would involve a number of steps, some of which include: reviews of the development lifecycle and of non-functional requirements as well as an analysis of the language(s), libraries, and tools used to develop your system, and a review of your security architecture. In addition, during a security audit, we would perform a comprehensive code review and analysis, an audit of your system’s existing security, and, if necessary, a review of governmental controls. Through our security audit, your project would also benefit from an analysis of your software development lifecycle (SDLC) support and documented remedies that can be implemented to mitigate against deficiencies in the development process.
During our software security analysis, we would examine your current set of security guidelines and policies as well as the coding standards that have been followed. Based on our findings, we would then be able to make suggestions for fully integrating security into the whole lifecycle of your system, from requirements to deployment.
A typical software security analysis includes the following:
Review of Non-Functional Requirements
We examine your organization’s current set of security guidelines, security policies, coding standards, etc., including their rationale for inclusion. We make recommendations for further augmentation.
Review of the Working Set
We review the language, libraries, and tools used to develop your system, with particular attention to known outstanding vulnerabilities. When feasible, changes are recommended based on risks present in each tool, followed with advice on mitigating against any high-risk areas through software implementation. When possible, we identify tools that support mitigation of threats in the threat model.
Security Architecture Review
We review the overall system security architecture, including elements such as web servers, databases, middleware, and interfaces to other systems. When possible, we recommend changes based on threats identified in the threat model.
We review the existing code with a focus on mitigating threats identified in the threat model. We pay specific attention to security anti-patterns and areas where code should be refactored for secure coding concepts. We use this information to offer suggestions for remediating security problems in existing code. We then give guidance regarding secure development best practices moving forward. In the absence of a threat model, we focus more on basic secure coding principles than specific measures for identified threats.
Where possible, given the availability of tools for the working set, we perform static and/or dynamic code analysis to provide further insight into potential problems with existing code.
We examine several key areas:
- Review of access controls and granted privileges with an eye to ensuring best practices (e.g. least privilege)
- Review of audit and logging in the system and its usage throughout the system. Recommendations for logging best practices are given to facilitate forensic analysis in the event of a security breach.
- Review of data protection practices, specifically the data in motion over networks and at rest in databases. Recommendations are given for best practices, especially for conforming to legal and regulatory requirements as may arise from a review of governmental controls.
- Review the use of cryptography, selected ciphers, configuration and usage of random data sources which may be used for a security nature.
- Security standards such as password requirements, security schemes, and other applicable security elements not directly covered by the previous items.
Review of Governmental Controls
If applicable, we review relevant government policy, regulations, and guidelines to ensure that the system will meet or exceed the requirements for interacting with government systems, or deployment in a governmental setting.
SDLC Support Analysis
We review the support structures around the development process. This review includes elements such as management support, bug tracking, testing, etc. Based on this review, we give recommendations to augment and provide supporting structures that will support the secure development process.
We provide checklists and guides to help remedy security deficiencies in the development process. These may include but are not limited to:
- Improvements to existing SDLC processes and patterns
- Secure coding guidelines
- Developer training
- Risk management
- Best practices
- Testing procedures
- Next steps (e.g. penetration testing, required government certifications or reviews, etc.)