Unknown Unknowns: Source Code Audit and Network Security Assessment.
| Author | Gilmore, Trevor |
| Position | TechTalk |
As more companies develop their own proprietary software and move their own systems to the cloud, an audit of your software's source code and an assessment of your network security should be part of the go-live strategy. I had the experience of managing both projects first-hand and will share my insight.
As the CFO of a small professional sen ices linn (we have approximately employees), I wear many hats. This includes the "trust, but verify'" hat, which I imagine to be covered in stylish question marks, a la Batman's The Riddler. A while back, I got word our long-planned and often-delayed online SAAS employee stock ownership plan administration software was ready to go live. Luckily, I know some people in the software space who advised us to make sure the software was safe, from a security perspective, before going live--software development 101, if you will.
My next conversation with our developer went something like this:
Programmer: We're ready to go lire, finally!
Me: How do we know it's safe to be tire online, from a security point of view?
Programmer: Trust us, it is. Each user has a unique password, and we can utilize dual factor authentication, SSL certificates, etc.
Me: Have we had an outsider try to get in without proper authentication?
Programmer: What do you mean?
Me: I'm asking have we hired a real hacker to try to get in?
Programmer: Hmmm. I don't think so ...
Me: If we don't know the answer, we can't go live yet. Iet's hire one to expose any unknown weaknesses before we put this thing online. Sound good?
Programmer: I think that's a good idea! After some searching, we located a well-regarded firm to audit the source code and perform a network security assessment. Both reviews were done in a matter of weeks, so the ultimate delay was not a killer for us as this program was an upgrade for existing clients who were not already informed of the go-live dale.
Software Code Audit
A software code audit is similar to a financial statement audit; rather than testing for GAAP conformity, professional code reviewers inspect the software's source code with the goal of discovering bugs, unintended security breaches or vulnerabilities before someone else does. The typical code auditor has a bachelor's degree in computer science or cybersecurity, or equivalenl real life cybersecurity experience, and has a deep understanding of programming languages such as C, C++, C#,Java/JSP, .NET, Perl, PHP, Ruby. Python and so on.
The comprehensive...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
