Shedding light on the security of your tech partners
You do everything you can to build your platform securely, but what about your partner ecosystem? Are they building just as securely as you, the platform owner? When you work with partners who link their add-ons to your platform or system, it is important that they, like you, perform satisfactorily in terms of security. The data your customers entrust you with flows to your partner's systems via API links. And you are ultimately responsible for your customers' data.
Know your tech partner's security status in 2 days
Computest has developed a 2-day Quickscan that gives you an overall impression of a tech partner's development security at a glance. A clearly presented final report shows you where they stand in terms of security in their development process, what their biggest risks are and what they can do about them.
You can think of this scan as a second opinion, or simply as a way of taking a security reading of your partner ecosystem once in a while. The result is an indication of the state of their security, based on which you as the platform owner can decide whether action is needed. The tech partner gets the full final report, while you get a summary.
Partner security Quickscan – the approach
Over two days, a senior Computest Security Consultant will map out the overall security of the add-on(s) in terms of scope. For the Quickscan, he/she will combine three working methods/techniques: interviews, code reviewing and security testing. Our experience shows that these three areas of focus are good barometers for the maturity of an organisation in terms of secure development.
The 3 areas of focus in more detail:
1 . Security in code
The Computest security consultant will go through the source code of the application(s) in question together with a developer. They will specifically look at the vulnerabilities listed on the Certified Secure "Secure Development Checklist". These vulnerabilities are grouped by theme.
The Quickscan does not aim to find all possible vulnerabilities, but instead gives an impression for each theme. Themes that will be addressed include:
- User input handling
- Authentication & authorization
- Logging & auditability
- Session handling
- Separation of concerns & isolation
- Security in network transmission
2. Security in the development process
The second area of focus relates to the development process of the application. Based on a number of interviews with members of the development team, the security consultant can draw conclusions about the extent to which security is assured within the development process. The following themes are typically covered:
- Peer reviews of code
- Coding guidelines for security
- Versioning of source code
- Management of third-party libraries
- Security policy for designing and managing infrastructure
3. Security in practice
The final area of focus is the software in production. The security consultant will perform a number of cursory checks on the production environment. Using a combination of automatic scans and manual checks, he/she will look for a number of types of vulnerabilities which cannot be identified from the code or lend themselves more to testing than code reviewing.
The end result: the Quickscan report
Following a Quickscan, Computest will deliver a document structured around the areas of focus listed above within the three pillars of code, process and practice. For each area of focus, the consultant will briefly set out his/her conclusion. A score is then given for each of the three pillars in the form of a colour: Red, Orange or Green. These colours represent “high risk”, “needs improvement” or “in control”.
Please note: the Quickscan report is not a substitute for a security test, but it is certainly sufficient to gain an informed impression of the overall level of security. As a platform owner, it helps you decide whether your partner(s) comply with your vision of security, while your partners benefit from the expertise and experience of a senior security consultant.