The best practices used by ITL in developing secure software
Our software security strategy is:
- managed – includes targeted and coordinated activities
- integrated – part of software development processes and methodologies
- evolving – based on modern knowledge
- responsible – ensures that risks are regularly explained to customers
More specifically, from the point of view of the development company, this means that:
- We consider that the safe development of software requires separate management.
- Each software project has a security-focused role that ensures that good security practices are followed and that the implementation is consistent throughout the project.
- We have a person responsible for security as a separate competency who ensures an adequate level of security knowledge for the organisation.
- We integrate security measures into our processes
- We recognise that a one-time audit or penetration test will not produce a consistent result over time, and security will need to be re-validated in the event of system changes and on a regular basis to mitigate the risk of supply chain attacks.
- We automate software security by implementing automated testing, code analysers, and other widely used tools in software construction processes (CI).
- We know that one of the biggest security risks is functionality that is not really needed. We avoid creating unnecessary complexity and using complex technology or unreasonable tools.
- We follow the guidelines and best practices for the safe development and use of the programming languages, frameworks, and environments that we use and we continually improve our skills.
- We ensure that all our employees receive regular security training appropriate to their role and responsibilities.
- We use modern technologies that continue to evolve.
- We keep abreast of trends and risks in the field of cybersecurity and adjust our systems, processes, and methodologies accordingly.
- We explain security related aspects to the customer and do not expect them to worry about such issues themselves.
- We recommend that the customer abandon risky functionalities that threaten security and help them find alternative solutions.
- We clearly and unambiguously communicate to customers the significant risks associated with software solutions and their possible consequences.
- We respond immediately to major incidents. We inform both the client and CERT-EE.