Tue, September 5
Article reading time: 6 minutes
As part of the company’s 25th anniversary interview cycle, we continue to share details of our development in various areas. This time we were able to communicate with Dmitry Voytik, CTO of SYSTEM TECHNOLOGIES, about the implementation of the secure software development process — or SSDLC, in our company.
The security issue has always been important for us, but a concrete impetus for the systematization of this approach was the certification process according to the International Information Security Management Standard ISO/IEC 27001.
This international standard sets out the requirements for information security management systems and allows organizations to manage the security of assets — such as financial information, intellectual property, or information provided by third parties.
As we passed this certification, we conducted a deep analysis of all our processes and realized that security could not be “glued” to the product in the last stages of development. It should be integrated at all levels and in all processes — from the idea to the support of the already launched product. This awareness was the catalyst for the introduction of SSDLC into our development.
We use a wide range of tools. For static code analysis (SAST), we use Sonarqube and Checkmarx. For dynamic testing (DAST) — Acunetix and OWASP ZAP. We also have tools for scanning dependencies, for example OWASP Dependency Check, for modeling threats we use IriusRisk. This allows us to conduct deep analysis at various levels — from code to architecture.
The importance of this approach is hard to overstate. The first thing worth mentioning is savings. Fixing vulnerabilities early in development is much cheaper than fixing bugs in an already running product. The second is reputation. We want our customers to trust us and to do that we need to provide them with safe products. And the third, which is equally important, is a continuous process. Vulnerabilities can appear not only in our code, but also in operating systems, libraries and other third-party components that we use.
Therefore, it is necessary to conduct constant security monitoring, update products and respond to new threats as soon as possible.
The client receives not just a product, but a product with a guaranteed level of security. We provide regular vulnerability reports, remediation recommendations, and even security advice. This not only increases the level of cyber resistance of the product, but also gives the client confidence that his business and data are completely secure.
SecDevOps is the integration and automation of security processes, which allows us to ensure security at all stages of development and operation. This is a key element of our strategy because it allows us to automate many aspects of security and thereby reduce the time to identify and fix vulnerabilities.
As for Vitali and Evgeny, these guys are real professionals in their business. Thanks to their efforts and dedication, we were able to realize many tasks that previously seemed to us difficult or even impossible.
Indeed, developer training is critical, because it is they who design the architecture of our applications, write code and fix bugs, and it is their level of understanding of the principles of secure development that determines the number of potential vulnerabilities in our product.
We use several approaches for training.
First, we have internal courses and workshops conducted by our SecDevOps engineers. Secondly, we use the CTF (Capture The Flag) method, which allows developers to put their security knowledge into practice, solving real problems. This method includes vulnerabilities from OWASP TOP-10 and other current security issues. Thus, our training strategy is aimed at making each developer an expert in the field of information security, which ultimately reduces risks and improves the quality of our product.
In conclusion, it should be noted that security is a teamwork. And every member of our team, from developers to SecDevOps, contributes to a secure and reliable product. We continue to learn and improve to be one step ahead and offer our customers the best solutions in the market..