Interview with Dmitry Voytik

“Security is a teamwork”

news

As part of the company’s 25th anniversary interview cycle, we continue to share details of our development in various areas. This time we were able to communicate with Dmitry Voytik, CTO of SYSTEM TECHNOLOGIES, about the implementation of the secure software development process — or SSDLC, in our company.

How did SYSTEM TECHNOLOGIES come to understand the need for a secure software development process?

The security issue has always been important for us, but a concrete impetus for the systematization of this approach was the certification process according to the International Information Security Management Standard ISO/IEC 27001.

This international standard sets out the requirements for information security management systems and allows organizations to manage the security of assets — such as financial information, intellectual property, or information provided by third parties.

As we passed this certification, we conducted a deep analysis of all our processes and realized that security could not be “glued” to the product in the last stages of development. It should be integrated at all levels and in all processes — from the idea to the support of the already launched product. This awareness was the catalyst for the introduction of SSDLC into our development.

What specific technologies and tools do we use to implement this approach?

We use a wide range of tools. For static code analysis (SAST), we use Sonarqube and Checkmarx. For dynamic testing (DAST) — Acunetix and OWASP ZAP. We also have tools for scanning dependencies, for example OWASP Dependency Check, for modeling threats we use IriusRisk. This allows us to conduct deep analysis at various levels — from code to architecture.

news

Why is this so important to us and to our customers?

The importance of this approach is hard to overstate. The first thing worth mentioning is savings. Fixing vulnerabilities early in development is much cheaper than fixing bugs in an already running product. The second is reputation. We want our customers to trust us and to do that we need to provide them with safe products. And the third, which is equally important, is a continuous process. Vulnerabilities can appear not only in our code, but also in operating systems, libraries and other third-party components that we use.

Therefore, it is necessary to conduct constant security monitoring, update products and respond to new threats as soon as possible.

What benefits does the customer benefit from our approach to secure development?

The client receives not just a product, but a product with a guaranteed level of security. We provide regular vulnerability reports, remediation recommendations, and even security advice. This not only increases the level of cyber resistance of the product, but also gives the client confidence that his business and data are completely secure.

news

What can be said about the role of SecDevOps in this process? And, by the way, we have two wonderful SecDevOps engineers in the company — Vitali and Evgeny. How do they affect the safe development process?

SecDevOps is the integration and automation of security processes, which allows us to ensure security at all stages of development and operation. This is a key element of our strategy because it allows us to automate many aspects of security and thereby reduce the time to identify and fix vulnerabilities.

As for Vitali and Evgeny, these guys are real professionals in their business. Thanks to their efforts and dedication, we were able to realize many tasks that previously seemed to us difficult or even impossible.

Training in safe practices is important for all employees, but especially critical for developers who work directly with code. The quality and safety of our product depends on their competence in the field of safety. How do we provide the necessary level of training for our developers in this regard?

Indeed, developer training is critical, because it is they who design the architecture of our applications, write code and fix bugs, and it is their level of understanding of the principles of secure development that determines the number of potential vulnerabilities in our product.

We use several approaches for training.

First, we have internal courses and workshops conducted by our SecDevOps engineers. Secondly, we use the CTF (Capture The Flag) method, which allows developers to put their security knowledge into practice, solving real problems. This method includes vulnerabilities from OWASP TOP-10 and other current security issues. Thus, our training strategy is aimed at making each developer an expert in the field of information security, which ultimately reduces risks and improves the quality of our product.

In conclusion, it should be noted that security is a teamwork. And every member of our team, from developers to SecDevOps, contributes to a secure and reliable product. We continue to learn and improve to be one step ahead and offer our customers the best solutions in the market..

Contact us

Minsk, 3 Akademika Kuprevicha street
Minsk, 1/1 Akademika Kuprevicha street

Legal and postal address:
"SYSTEM TECHNOLOGIES" JLLC
220084, Republic of Belarus, Minsk,
3-10b, Akademika Kuprevicha str., 5th floor

    By sending a message, you automatically agree to
    the privacy policy

    The site st.by collects non-personalized user data through cookies. For more information see the Cookies Policy

    Accept Cookies Policy