Thanks, we'll contact you soon.
Onboarding a reliable and secure software development partner solves so many problems. A stable and elastic partner will enable you to pivot, flex, and speed up or down safely. When outsourcing software development, passing security requirements is an overwhelming and essential step to take with your vendor, IT team, and security group.
The mark of an organized, professional software development partner is one who can produce evidence of their ability to ensure security on multiple levels: your data, the source code, how the software is designed, and the environment or infrastructure where the software lives and teams operate.
Here’s a comprehensive guide on how to evaluate vendors and vendor security. We also provide information about our security practices in software development here at Integrant.
How your vendor handles your code is a good representation of how they’ll handle the business relationship.
Cyberattacks are becoming increasingly complex, and in the past, there was no standard set of guidelines used to address this growing threat. In 2013, President Obama called for standards creation, and the National Institute of Standards and Technology (NIST) responded with its Cybersecurity Framework (CSF) in 2014. In 2017, President Trump issued an executive order requiring the US government to implement NIST CSF standards. In December 2017, NIST published an update, Version 1.1, leveraging feedback collected from online forums, workshops, and organizations specializing in cybersecurity.
NIST CSF isn’t just for government agencies. Every business can and should adapt and adopt the secure development best practices set by the NIST.
Integrant, partnering with its customers and engaging the services of third-party security consultants, has been modifying and improving its security practices in software development since the first version was published in 2014. We are currently in compliance with Tier 4, the adaptive tier. This means we proactively detect threats, predict issues based on current trends, and fully adopt NIST CSF.
The Service Organization Control (SOC) 2 Type II certification means an independent third party has reviewed, examined, and tested a company’s security controls. Security experts agree SOC 2 Type II is the best report for assessing cybersecurity.
SOC 2 looks at access, availability, system processing, data protection, and handling personal/confidential information.
Type II is an important distinction. If a company only earned Type I certification, it claims to have controls in place, but its processes and infrastructure still need to be audited or reviewed. An independent assessment requires anywhere from six months to a year of monitoring.
Passing SOC 2 Type II means the organization meets the strict requirements of the American Institute of Certified Public Accountants AICPA. Software built by a SOC 2-certified firm is developed, reviewed, tested, and released following the AICPA Trust Services Principles.
When you work with and grant access to a company like Integrant with SOC 2 Type II certification, you know you’re protected against data breaches.
Ask your vendor for a SOC 2 Type II audit report copy. We would be happy to supply you with a copy of ours.
Ask how often the vendor undergoes internal and independent audits. We secure the services of an independent, certified Security Officer with over 20 years of experience managing complex computing environments.
The Security Officer performs SSAE 16 review, auditing standard for service organizations, to ensure we comply with our security policies and controls. We undergo this review annually.
Our financial services clients require audits that go beyond the requirements of SOC 2 Type II. Our clients utilize customized security frameworks that include SOC 2, NIST, and ISO standards. We must pass annually to continue to serve and happily comply.
The stages of the annual review by our clients include self-attestation, vulnerability test summaries, requests for extensive documentation, interviews, and onsite assessments.
Understanding the vendor’s experience in high compliance and highly regulated industries is another good data point to review.
When evaluating vendors for a secure software development project, your due diligence involves asking questions about code management and connectivity.
Whether you plan to use a vendor's infrastructure or your own, evaluating the dev/test environment, code quality resources, communication tools, and security processes is a great way to gauge their preparedness. Do they use static code analysis tools? If yes, which ones and why?
What project management or electronic board tools do they use today? How flexible are they in learning your secure software development tools if they don't use the same ones you do?
Ideally, your vendor will adopt your team and organization's tools, security requirements, and preferences. Learning how flexible and open they are indicates what type of partner they will be.
Will you always have access to your code and your IP? Can you pull it anytime you need it? Are they open to working in your environment? Do they have their own environment that is ready for you to use?
The best security software vendors will have options, and you will be able to pick the one that works best for you. At Integrant, the breadth and depth of our resources allow us to support multiple code management and connectivity environments. We offer a few models and the pros and cons of each.
The vendor team works within your environment using your secure software development tools in this situation. The external team can access your servers using a client-based VPN solution with appropriate access to only needed systems. This is also typically how client employees connect from home.
Or code is developed locally, and appropriate files are moved into a secure shared landing zone.
If you have a robust internal environment, this option allows you to leverage it. If you’re a startup or lack the “latest and greatest” in your internal environment, you may not have access to tools like static code analysis, continuous integration, continuous delivery, etc.
This option accommodates any internal security protocol requiring all source code to reside within your walls. Your IT team will have complete control and the ability to monitor and audit all traffic. There is no way to copy or move data, source code, etc. Nothing leaves your environment.
One potential downside to consider is any latency or connection issues. At Integrant, we have stable, high-speed internet connectivity at our facilities. It’s a top priority for our IT team. Review this with your vendor when they are in the process of secure software development to ensure no loss in productivity.
If your security software vendors have supplied ample evidence of security controls, there may be significant benefits to allowing the code to live in their environment. This is an option to consider if the vendor’s development infrastructure offers tools that are not readily available in yours.
At Integrant, we offer the following:
Continuous code quality inspection platform
Source code management
Reporting and dashboards
Requirements and project management
Automated builds, continuous integration, auto deployment, release management
You might choose this option if you’re a startup with few or no software dev/test-related resources.
Or you might be part of a large company with a robust IT department and it might be easier for you to have us handle source code than to go through the sometimes cumbersome, time-consuming process of getting us access to your on-site environment.
With this model you can start right away and avoid investing in tools and training associated with code management and quality.
However, you want to watch out for vendors who will hold your code hostage. Verify you have 24/7 access to your code. At Integrant, we address code ownership concerns in several ways:
Our contract with our clients clearly states that all code is the client's property.
Due to our internal processes and tools, the client has 24/7 access to the environment and can download current code daily.
From a development and testing perspective, your security software vendors can work with data schemas/objects, logic guiding how the data is populated, and dummy or scrambled data. When you are ready to deploy, the team can travel to work onsite, or your internal team can manage the deployment. Roughly 75% of the development will be conducted offsite and 25% onsite. Similar to the deployment process, critical issues and maintenance can be managed by onsite staff.
In this scenario, we will leverage cloud-based applications. This option provides access to all the secure software development tools in your vendor’s development environment. Still, the code is parked in the cloud via GitHub, BitBucket, or a similar third-party repository. The security software vendors use the same systems and are assigned usernames and passwords with appropriate permissions for these applications.
The same security considerations as Option 2 are in play, but you will have full access and control over your code. You have the option to give users read-only access – they can’t change the code directly except through pull requests. You can also shut down access to users as needed. Use good secure development practices, like second-factor authentication, when using a third-party repository.
As .NET developers, we follow Open Web Application Security (OWASP) guidelines. Using tools like SonarQube enables us to follow OWASP standards effectively. We also regularly undergo and pass penetration testing conducted by neutral third parties.
For complete security testing, we recommend leveraging specialists in application security testing to ensure an objective, neutral, thorough evaluation.
Everyone is a full-time Integrant employee; you will know every team member. Here are some of the practices documented in our SOC 2 Type II report related to our people:
Human Resources management utilizes a new hire checklist to ensure that specific elements of the hiring process are consistently executed. A copy of the new hire checklist is maintained in the employee file.
Comprehensive background checks are performed by an independent third-party for certain positions as a hiring process component. Employees must sign a confidentiality and non-disclosure agreement to not disclose proprietary or confidential information, including client information, to unauthorized parties.
Management maintains insurance coverage to protect against dishonest acts that personnel may commit. Beyond hiring ethical people and communicating expectations around security, what certifications do they hold? In addition to providing regular training, we have certifications: GIAC-GWEB, GIAC-GSSP, and CSSLP.
Another critical question to ask is whether your vendor leverages the services of a contractor or subcontractors for development and testing. If yes, verify that the same guidelines are followed for everyone touching your code, data, and IP. Are they performing background checks? What type of hardware (laptops) are they using? Where are they working from (secure network)?
At Integrant, everyone is a full-time employee. On the rare occasion, we engage a contractor for specialty services such as graphic design, we follow the same security practices, even for people who do not have access to your data or code.
What security practices in software development does your vendor follow? What certifications do they hold? Do they have experience working in highly regulated industries? Where will your code live? How easy will it be for you to access the code?
How prepared, secure, and professional is the vendor’s work environment? Do they perform background checks, provide training, and require contractors to undergo/follow the same policies and procedures as full-time staff? How your vendor handles your code is a good representation of how they’ll handle the business relationship.
It’s all about asking good questions and requiring evidence. If you’re searching for the right vendor to help with secure software development for your business, contact us here.
Integrant’s Vision is to transform the software development lifecycle through predictable results.