Insight into the security of your tech partners
You do everything you can to build your platform securely. But what about your partner ecosystem? Are your partners building just as securely as you do as the platform owner? When you work with partners who link their add-ons to your platform or system, it is important that they, like you, perform well in terms of security. The data your customers entrust you with flows through API links to your partner's systems. And what happens to that data will reflect on your platform.
Know your tech partner's security status inside 2 days
Computest has developed a 2-day Quickscan that gives you an overall impression of a tech partner's development security at a glance. A clear final report shows where they stand in terms of security in their software development process, what their biggest risks are and what they can do about them.
You can think of this scan as a second opinion, or simply as a way of taking a security reading of your partner ecosystem once in a while. The result is an indication of the state of their security, based on which you as the platform owner can decide whether action is needed. The tech partner gets the full final report, while you the platform owner get a summary.
Partner security Quickscan – the approach
Over two days, a senior Computest Security Consultant will investigate the overall security of the appliciation in scope. For the Quickscan, he/she will combine three approaches/techniques: interviews, code reviewing and security testing. Our experience has shown that these three areas of focus are good indicators for the maturity of an organisation in terms of secure development.
The 3 areas of focus in more detail:
1 . Security in code
The Computest security consultant will go through the source code of the application(s) in question together with a developer. They will specifically look at the vulnerabilities listed on the Certified Secure "Secure Development Checklist". These vulnerabilities are grouped by theme.
The Quickscan does not aim to find all possible vulnerabilities, but instead gives an impression for each theme. Themes that will be addressed include:
- User input handling
- Authentication & authorization
- Logging & auditability
- Session handling
- Separation of concerns & isolation
- Security in network transmission
2. Security in the development process
The second area of focus relates to the development process of the application. Based on a number of interviews with members of the development team, the security consultant can draw conclusions about the extent to which security is assured within the development process. The following themes are typically covered:
- Peer reviews of code
- Coding guidelines for security
- Versioning of source code
- Management of third-party libraries
- Security policy for designing and managing infrastructure
3. Security in practice
The final area of focus is the software in production. The security consultant will perform a number of cursory checks on the production environment. Using a combination of automatic scans and manual checks, he/she will look for a number of types of vulnerabilities which cannot be identified from the code or lend themselves more to testing than code reviewing.
The end result: the Quickscan report
After a Quickscan, Computest will deliver a document structured around the areas of focus listed above within the three pillars of code, process and practice. For each area of focus, the consultant will briefly set out his/her conclusion. A score is then given for each of the three pillars in the form of a colour: Red, Orange or Green. These colours represent "high risk", "improvement desirable" or "in control".
Please note: the Quickscan report is not a substitute for a security test, but it is certainly sufficient to gain an informed impression of the overall security level. As a platform owner, it helps you decide whether your partner(s) comply with your vision of security, while your partners benefit from the expertise and experience of a senior security consultant.