Analysis and Security Requirements Phase
Building real secure software should start in the initial planning phases of the project and should consider security requirements as a main part of the project requirements.
What we can support are as follows:
- Help Systems Analysts to identify security and privacy requirements.
- Review project plan and make recommendations and may set additional project requirements from security perspective.
- Mandate the usage of a bug tracking/security job assignment system.
- Define security and privacy bug bars.
Security and privacy design specifications should describe how to implement these features in details and how to implement all functionality as secure features. In this phase we define and document security architecture, identify security critical components for the network structure, operating system, web and database server, developed software project.
- Identify and plan for design techniques implementations (layering, managed code, attack surface minimization, least privilege…etc).
- Define attack surface and limit through default settings.
- Building a Threat Model for the design based on prospected risks
• Systematic review of product architecture and features from a security point of view.
- Identify custom criteria due to unique project security issues.
• Identify threats and solutions.
Integration of our supported security tools (Parasoft application security monitoring tools – look at www.parasoft.com) with development and testing environment to ensure secure deployment and operation later. The following steps are achieved during this phase:
- Static source code analysis and review:
- Facilitates regulatory compliance.
- Ensures that the code meets uniform expectations around security, reliability, performance, and maintainability.
- Eliminates entire classes of programming errors by establishing preventive coding conventions.
- Data flow static analysis; Detects complex runtime errors related to resource leaks, Null Reference Exceptions, SQL injections, and other known security vulnerabilities
- Metrics analysis; Identifies complex code, which is historically more error-prone and difficult to maintain
- Peer code review process automation
- Automates and manages the peer code review workflow- including preparation, notification, and tracking- and reduces overhead by enabling remote code review on the desktop.
- Unit test generation and execution; Enables the team to start verifying reliability and functionality before the complete system is ready, reducing the length and cost of downstream processes such as debugging
- Automated regression testing; Generates and executes regression test cases to detect if incremental code changes break existing functionality or impact application behavior
- Coverage analysis; Assesses test suite efficacy and completeness using a multi-metric test coverage analyzer; this helps demonstrate compliance with test and validation requirements such as FDA
- Team deployment and workflow; Establishes a sustainable process that ensures software verification tasks are ingrained into the team's existing workflow and automated so team members can focus on tasks that truly require human intelligence.
- Error assignment and distribution; Facilitates error review and correction; each issue detected is prioritized, assigned to the developer who wrote the related code, and distributed to his or her IDE with direct links to the problematic code.
- Centralized reporting; Ensures real-time visibility into quality status and processes; This helps managers assess and document trends, as well as determine if additional actions are needed for regulatory compliance.
Note: Star-ware can perform the above mentioned tasks on a consulting basis instead of deploying tools permanently. The customer should advise which model will suit his needs.
SECURITY & QUALITY TESTING SCOPE OF WORK ORIGNIAL PROPOSAL 3 Full-lifecycle quality platform ensures secure, reliable, compliant business processes. It was built from the ground up to prevent errors involving the integrated components as well as reducing the complexity of testing in today's distributed, heterogeneous environments.
Continuously validates all critical aspects of complex transactions which may extend through web interfaces, backend services, ESBs, databases, and everything in between
Advanced web app testing
Guides the team in developing robust, noiseless regression tests for rich and highly-dynamic browser-based applications
Application behavior virtualization
Automatically emulates the behavior of services, and then deploys them across multiple environments—streamlining collaborative development and testing activities. Services can be emulated from functional tests or actual runtime environment data
Verifies application performance and functionality under heavy load; Existing end-to-end functional tests are leveraged for load testing, removing the barrier to comprehensive and continuous performance monitoring
Specialized platform support
Accesses and executes tests against a variety of platforms (AmberPoint, HP, IBM, Microsoft, Oracle/BEA, Progress Sonic, Software AG/webMethods, TIBCO)
Prevents security vulnerabilities through penetration testing and execution of complex authentication, encryption, and access control test scenarios
Trace code execution
Provides seamless integration between SOA layers by identifying, isolating, and replaying actions in a multi-layered system
Continuous regression testing
Validates that business processes continuously meet expectations across multiple layers of heterogeneous systems; this reduces the risk of change and enables rapid and agile responses to business demands.
Ensures that all aspects of the application meet uniform expectations around security, reliability, performance, and maintainability
Provides governance and policy validation for composite applications in BPM,SOA, and cloud environments to ensure interoperability and consistency across all SOA layers.
Operations and Application Security After Launch
- Plan and design an application auditing platform that is being used after launch phase to measure and track security parameters.
- Define the security parameters and its related data and how to log and maintain such entries.
- Integrating the logging/triggering module (with best security practice) into the developed software project.
- Plan the development of the monitoring and management secure interface.
- Plan the implementation of the related alerting system for critical or specified activities or application actions.
- Training the operators for best practices and optimum usage of the auditing and monitoring platform.