FAQs on Application Security for iOffice's Facilities Management Software
All this month we are answering the most Frequently Asked Questions (FAQs) on the security of our portal. We have already discussed Physical Security, Network Security & Host Security. Today's post is about: Application Security.
When we talk application security that is the practice of securing our code. Here are some questions we get asked.
1. How does iOffice review the security of code?
All development and scripts go through a review and testing process before being merged into our master code branch. Interested customers and prospects can request our Software Development Lifecycle document for further detail on code management and review.
2. Does iOffice provide application or network-based intrusion detection services?
Yes. Rackspace partners with Alert Logic to provide IDS capabilities and services with Managed Services.
3. If requested, will iOffice disclose the specific configuration files for any web servers and associated support functions (such as search engines or databases)?
This would be decided on a case by case basis due to possibly conflicting security concerns. If the request is reasonable and has NO risk of compromising the integrity or security of the application or customer data, we would comply.
4. What technologies are used for the front end?
5. What language is the back-end written in?
The back-end of the application runs on the Java Virtual Machine, using various languages and frameworks.
6. Can iOffice describe the process for doing security Quality Assurance testing for the application?
iOffice employs a methodology referred to as Software Development Life Cycle that incorporates the following: Design, Testing, Release and Code Management. Testing for example includes 4 major areas: Developer Testing, Internal Testing, Vulnerability Testing, Pilot Testing and finally Client Notification. iOffice maintains multiple application release environments along with a strong code management policy. All steps along the life cycle have checks and balances which are managed and controlled. Please see Software Development Life Cycle document for a detailed description.
7. Has iOffice done web code review, including CGI, Java, etc, for the explicit purposes of finding and remediating security vulnerabilities?
Yes, our code is reviewed and monitored for possible security exploits. Our underlying application framework also prevents common security issues. Additionally we run automated external scans (fuzzing) to identify potential sources of XSS, SQL infection and other possible issues. Finally, our customers execute their own scans and audit to ensure security of the application. The Software Development Life Cycle document outlines detail or code review. Interested customers and prospects may ask for a copy of this document.
Those are the top questions we get asked about Application security for our portal application. Do you have another question that we missed? Please submit in the comments below. In our next FAQ blog post we will answer the most frequently asked questions surrounding Operational Security.