Protecting the code and ensuring the integrity of the software until it reaches the end user is of paramount importance. This process is aimed at protecting the code from unauthorized access and interference, verifying the integrity of the software, and protecting the software after release.
The primary objective is to maintain code on a least privilege basis to ensure that only authorized access is granted. In addition, a copy of each release with the components listed and integrity check information is provided to each client.
Examples:
- Storing code in secure repositories with limited access;
- Using version control to track all code changes;
- Publishing cryptographic hashes for released software and using only trusted certificate authorities to sign code.
As you can imagine, this process consists of many steps and involves many participants and practices. First, the software is designed and tested to meet defined security requirements. Next, third parties are thoroughly vetted for compliance with these requirements. Developers then use security best practices to write the code, customizing the build process to enhance the security of the product. All code is then reviewed, analyzed, and tested using manual and automated tools to identify vulnerabilities and ensure compliance. Finally, the software is configured with secure defaults for out-of-the-box protection, and secure components are often reused in production.
Specific tasks include creating a list of trusted components, using threat modeling to assess risk, studying external security requirements, communicating standards to third parties during compliance testing, using secure coding best practices using industry best practices tools, and validating code from all perspectives through review or analysis. The final tasks include designing and executing vulnerability tests, documenting the results, and resolving any issues found.
