Security Development Lifecycle
Security Development Lifecycle
The development of cybersecurity products is a multi-stage process. Product reliability, security, and effectiveness are not just based on a vendor’s technical capabilities, but also how the vendor runs their development process. This white paper discusses Infotecs’ approach to running secure software development.
Infotecs has produced cybersecurity products for more than 25 years and commits to their high quality and reliability. To achieve this goal, the company has implemented the Infotecs Security Development Lifecycle (ISDL). By implementing the Infotecs Security Development Lifecycle, we strive to:
- Enhance overall reliability and security of our solutions,
- Minimize risks and potential adverse implications of vulnerability exploitation,
- Detect and eliminate vulnerabilities proactively.
When developing ISDL, the Company applied best practices of leading vendors, such as Microsoft and Cisco and followed recommendations of ISO 27001, ISO 27034, ISO 15408 and FIPS 140-2, NIST, HIPAA. We also consider additional market-based security requirements applicable to our products, for example, requirements of the government, financial, and healthcare markets when developing our products.
The ISDL process embraces all aspects of product development, including requirements, architecture, code development, build environment security, customer service and other stages. For ISDL implementation, at each development stage, additional measures are implemented that enhance the security of the end-product. All development teams complete additional security development training and have an assigned security “champion” who is responsible for product security. The ISDL process is coordinated throughout the Company by dedicated security advisers.
The Infotecs Security Development Lifecycle is subject to continuous improvements that increase process effectiveness, detect and eliminate deficiencies in our products. Infotecs focuses on keeping our security processes up to date in response to information technology advancement, new threats and protection methods.
Requirements and Architecture
Security requirements to our products are defined during the initial development stage. This involves survey of legislation statements, national standards, certification requirements, market-based requirements, and consideration of internal security requirements, as well as industry best-practices. Security experts develop the products’ threat model, which defines what should be protected from which kind of threats. Based on the security requirements and threat model, a product architecture is designed and subjected to a multi-step review by our security experts.
At the development stage, all available security measures are applied: enabling compiler security options, conducting security code-reviews, and testing code quality with static analyzers. Compliance with the rules is verified at the assembly stage on continuous integration servers.
All third-party components used are evaluated for security and new CVEs are tracked. When vulnerabilities are detected in third-party components, a security patch for the product is released.
Apart from standard unit and functionality tests, the Company applies a number of additional practices to verify the security of the final solution:
- The product is tested for compliance with security requirements,
- All network protocols are subjected to fuzz testing (fuzz testing is a software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.),
- Vulnerability scanning and penetration testing of the end product by independent, third-party security experts.
If critical vulnerabilities are detected at the release stage, the release is suspended and the product is fixed before release.
Security advisers regularly audit compliance with ISDL practices in all development projects.
All product delivery stages, from the build environment to installation at the customer’s site, are subject to thorough monitoring. Build infrastructure is implemented according to ISO 27001 security requirements. Software integrity is verified at delivery, installation, and execution stages.
Infotecs products have a defined life cycle and technical support policy that is available to our customers and other interested parties at Infotecs Technical Support Policy for Software & VA Products page. The Company delivers security patches and critical bug fixes throughout the product life cycle.
With extended support, the customer is entitled to face-to-face contact with the account manager, technical support by an assigned expert, and a faster response to critical issues. Additionally, we can arrange webinars and workshops covering infrastructure security best practices for customers’ representatives.