The web site is now storing only essential cookies on your computer. If you don't allow cookies, you may not be able to use certain features of the web site including but not limited to: log in, buy products, see personalized content, switch between site cultures. It is recommended that you allow all cookies. Cookie Policy

ASG Perspectives

Blog > January 2019 > ASG Best Practices: How to Develop and Deliver Secure Software

ASG Best Practices: How to Develop and Deliver Secure Software

Data and application security remain a high priority for businesses as hackers exploit network, social and software vulnerabilities to steal data. In addition to growing security threats, governments are requiring organizations to maintain and secure private data with strong regulations that often carry substantial fines. 

To protect data from breaches—and their business from the risk of regulatory non-compliance—organizations must secure their entire externally-facing IT stack, whether managed on premises or in the cloud. This initiative includes using commercial software that is delivered with no known vulnerabilities and continually tested and updated to address new vulnerabilities as they are identified.

In turn, software developers must step up and deliver the secure software that customers need to fuel security initiatives and prevent breaches. Developers must implement a secure software development lifecycle that assesses risks, models threats and solutions through design reviews, and tests software security in static and dynamic situations. 

Over the last three years, ASG has completely modernized our software development processes, including:
  • adopting agile techniques
  • implementing collaborative development tools
  • moving to standardized techniques such as the RESTful API
  • adopting common accessible user experience models
  • developing and reusing common components 
We also moved to a secure systems development lifecycle (SDLC).  A secure SDLC treats security as a core part of software development, not as an afterthought to be tested before final delivery. Our security process cannot be bypassed in any way. Similar to the way we perform automated testing on our products, we have implemented an automated process by which no ASG products can be built—much less released—if a security flaw has been identified.

pexels-photo-1181341.jpegSetting the Standard for Software Security

ASG is leveraging best-of-breed software test tools and methods to assure our software meets the security standards our customers need. This process is done in the following phases:

1. First and foremost, ASG trains our development community to be knowledgeable and aware of threats and security concerns. In addition, each of our teams include a designated Security Task Force comprised of individuals from various backgrounds (e.g., Dev and Quality Assurance) who are accountable for mentoring and ensuring our security guidelines are followed. They also work with our security team to perform threat modeling exercises on our releases.

2. Next, we automatically identify and scan all third-party code, whether from open source or other partners, for security vulnerabilities. Many software breaches happen when organizations leverage flaws introduced by third-party libraries common to many software products. To eliminate this possible vulnerability, we scan our code repositories to identify libraries that are either severely outdated, have conflicting licensing terms or have security flaws identified by the community. None of our products are allowed to be released if any of these conditions are identified.

3. The team automatically scans our source code to identify incorrect security practices in our code and immediately alert our developers. This allows them to both increase their knowledge of secure development best practices and fix potential future security threats. To provide rapid feedback and correction, we do this validation both when new code is committed (real-time security) and when our product is automatically built. If issues are found during the build, the product fails until the issue is resolved.

4. ASG automatically deploys and tests our products as part of our automated Quality Assurance (QA) cycle to look for security flaws in this stage of delivery. During this cycle, all product transactions are monitored and analyzed. Any security issue will fail the build, just as if a critical bug was found on the product.

5. Last but not least, our internal security team uses a combination of tooling, as well as their own knowledge, to perform intensive penetration testing on our products before they are released.

ASG seeks to engineer security in our products and then test it along the path to delivery and beyond into operation. Our process is largely automated to guarantee our customers and our teams that it will not be overlooked. ASG customers expect secure software, and we have put this process in place to identify and address vulnerabilities so we can deliver on those customer demand.

Learn how you can better secure your organization’s IT stack by exploring ASG’s Enterprise Information Management and IT Systems Management products today.
Posted: 1/17/2019 10:36:36 AM by Pascal Vitoux
Filed under :best, breach, data, developer, hacker, information, IT, management, practices, security, software, systems