The best practices used by ITL in developing secure software

Our software security strategy is:

  • managed – includes targeted and coordinated activities
  • integrated – part of software development processes and methodologies
  • evolving – based on modern knowledge
  • responsible – ensures that risks are regularly explained to customers

More specifically, from the point of view of the development company, this means that:

  • We consider that the safe development of software requires separate management.
    • Each software project has a security-focused role that ensures that good security practices are followed and that the implementation is consistent throughout the project.
    • We have a person responsible for security as a separate competency who ensures an adequate level of security knowledge for the organisation.
  • We integrate security measures into our processes
    • We recognise that a one-time audit or penetration test will not produce a consistent result over time, and security will need to be re-validated in the event of system changes and on a regular basis to mitigate the risk of supply chain attacks.
    • We automate software security by implementing automated testing, code analysers, and other widely used tools in software construction processes (CI).
    • We know that one of the biggest security risks is functionality that is not really needed. We avoid creating unnecessary complexity and using complex technology or unreasonable tools.
  • We follow the guidelines and best practices for the safe development and use of the programming languages, frameworks, and environments that we use and we continually improve our skills.
    • We ensure that all our employees receive regular security training appropriate to their role and responsibilities.
    • We use modern technologies that continue to evolve.
    • We keep abreast of trends and risks in the field of cybersecurity and adjust our systems, processes, and methodologies accordingly.
  • We explain security related aspects to the customer and do not expect them to worry about such issues themselves.
    • We recommend that the customer abandon risky functionalities that threaten security and help them find alternative solutions.
    • We clearly and unambiguously communicate to customers the significant risks associated with software solutions and their possible consequences.
    • We respond immediately to major incidents. We inform both the client and CERT-EE.