THE INFORMATION IN THIS ARTICLE APPLIES TO:
QUESTION
Are Globalscape's applications being developed using common secure coding practices?
ANSWER
Our software development team follows industry standard security programs (including CISSP, CSSLP) and follows well-known security best practices such as OWASP, Microsoft, and others to prevent common coding vulnerabilities and to minimize security errors. Our development process includes peer review and static code analysis to mitigate the risk of security errors. Our process includes practical validation of security through both automated and manual testing. Our software is periodically subject to external security audits ("pen tests") with a rich history of excellent results. In all, Globalscape maintains a diligent, pragmatic approach to ensuring high levels of security in all software that we deliver.
Specific security tactics include but are not limited to the following:
- Follow secure coding practices as recommended by OWASP, Microsoft, and other resources
- Conduct "brown bags" for engineers regarding secure coding practices, including classes offered by third-party security firms
- Provide off-site training for engineers for secure coding practices
- Enable security flags and high warning levels in the development environment to enforce use of secure functions and types
- Maintain and follow a Security Vulnerability Assessment and Response Process
- Monitor security industry watch lists for known vulnerabilities
- Run security scanners/fuzzers against the various protocols and interfaces
- Integrate security verification into the quality assurance process
- Track and monitor potential vulnerabilities in a bug tracking system
- Employ tools such as FindBugs and PMD to automatically catch potential coding and security issues
- Follow a process to review and update third-party libraries for major releases
- Implement security-related unit testing and automated testing to prevent accidental breakage