Cyber Security – Secure Software Development

TEKenable is certified to deliver secure software development for your business.

Our Secure Software Development Lifecycle

Security cannot be added to software after it has been built.  Security begins with a clear understanding of the needs of the software application and is embodied into the software through an appropriate architecture, design, skilled implementation and verification process.  This is known as a Secure Software Development Life Cycle, an SSDLC.

All the software that we develop is developed in compliance with ISO27001:2013 and is resistant to the OWASP Top 10 attacks. We penetration test our software as part of system testing and are often tested by third party security companies as part of our customer’s acceptance testing. We hold CISSP, CISM and CSSLP certifications as well as ISO9001, ISO27001 and Cyber Essentials Certification as proof of our commitment to security.

The image below shows our SSDLC.

Secure SDLC for website/Cyber_Security

Qualify

Before you choose a software development company you need to ask, do they have the capability to delivery secure software?

TEKenable is certified to ISO27001 (Information Security Best Practice), ISO9001 (Repeatable processes leading to repeatable outcomes) and Cyber Essentials (UK Security standard).  We hold key, difficult to earn certifications:

  • CISSP – Certified Information Systems Security Professional
  • CISM – Certified Information Security Manager and
  • CSSLP – Certified Secure Software Lifecycle Professional

Finally, we train and test all of our staff not just on Information Security Policy and GDPR but also on Secure Code techniques using SecureCodeWarrior.

Our internal security is audited every six months and we use many of the software products that we promote ourselves.

Can your current provider say the same?

Risk and Need

Every system exists in a defined environment, Internet facing or internal system, unattended kiosk, Data Center or Cloud Hosted.

That same system has a unique potential impact if it were to be compromised.  For example, a recent system TEKenable built manages the electoral register.  That system presents a risk of data leakage (personal details of people registered to vote) and, as it allows new voters to register and existing ones to change their registration, the risk of perverting an election through the creation of phantom voters exists.

The correct Risk Assessment informs the Security Requirements which then flow to the next step of the SSDLC.

Security Architecture

Just as any computer system has a technical architecture, a definition what the moving parts are, how they are constructed, hosted and how they interoperate, so a computer system should have a Security Architecture.

The Security Architecture defines how the security requirements of the system are to be applied, what infrastructure, software applications, management and monitoring is required and how the security of the application will be an integral part of its design.

TEKenable have many IT Architecture templates that reflect the different Risks and Needs of the systems that we have designed and built, many of which have been validated as Best Practice by platform vendors such as Microsoft’s Azure FastTrack team.

Software Build

TEKenable has a very large library of pre-built software modules that provide low level services such as password storage and validation through to much more demanding functionality like Workflow, Auditing, Reporting and User Role Management.  By reusing these on our projects we are able to build upon a secure foundation of tried and tested software functionality both accelerating and de-risking solution delivery.

When new software is built it must conform to standard patterns providing for secure code.  The software is subject to peer review and we have started using a static inspection tool which checks software on check-in to our software version control system enforcing coding standards.

The use of the latest libraries from third parties whenever possible combined with all of the above ensures that the software build is as secure as possible.

Security Testing

While we build all software with security in mind, some systems that we deliver have a particularly high risk profile.  For these, our customers engage independent security consultancies to test and validate our work.  The independent review usually considers not just a Penetration Test but also the architecture, infrastructure configuration and sometimes even our own internal policies and standards.

A recent system developed by us, under NDA, is one of Ireland’s largest financial services databases  It is a hybrid solution hosted mainly in Azure and has been examined and passed by one of the “big four” for compliance to CBEST standard (https://www.crest-approved.org/schemes/cbest/index.html).  Quoting from CREST who define this standard:

CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services. The inclusion of specific cyber threat intelligence will ensure that that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.

It is a testament to TEKenable’s SSDLC process that we were able to pass this comprehensive evaluation.

Release

There are some very specific considerations that have to be dealt with in the Release process:

  • How do we know that the software has not been tampered with prior to release?
  • How do we ensure that that access rights needed to make a release are not abused for example to access data?

We have an Ireland and hence EU based release team that ensures GDPR compliance in that production data sets are not exposed outside the EU.  Our release team uses a combination of our software version control system, service management system and testing management services to ensure that the software released is the software that has been through the test an verification process.

We have a very high level of traceability.  We are able to determine for each and every change made, what initiated the change, what the change was, which lines of software were impacted, who made the change and when, who tested it and what were the outcomes and who released it when.

We use Privileged Account Management software, and, where compatible with the release target platform, we use two factor authentication to ensure the administrative credentials used for release are securely managed.

We offer the following services….

Find Out More

Read more about our case studies or get in touch to find out more

Menu