And What The Answers Should Be
Before you begin a software project, you should be sure your developer is following proper security measures. Here are some questions you can ask:
1. What methodologies do you use to ensure security in the software?
Ideally, you want to hear they subscribe to and adhere to the Open Web Application Security Project (OWASP) guidelines. They may talk about their Software Development Life Cycle which should include security in all phases.
2. Which of the OWASP top ten risks are you most concerned with in our software?
Hopefully they will know about OWASP but it is possible that they have never heard of it. The correct answer to this question will depend on what vulnerabilities your specific software may have. The most likely answer to this question should be "injections". Read more about the OWASP Top Ten HERE
3. Do you have a specific person responsible for security?
They should answer Yes and let you know what it is.
4. How do you test the security of the software?
Some developers turn to third party testers and tools while others do it in-house. The important thing to note is that testing is done prior to deployment and is ongoing.
5. What training does your development team receive on security?
You really want to know that security is a priority and that the development team participates in initial and ongoing training.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Software Already Built? Find Out if Precautions Were Taken with These Questions
If your software is already built you can ask your developer these questions to find out if they followed the necessary protocols:
1. What kind of security testing was done before releasing the product?
Again, it is important that testing is done prior to deployment and is ongoing.
2. How are passwords treated and stored?
According to OWASP it is best to not limit the character set and length of passwords. Some possible answer to this question can include the fact that passwords should be encrypted and that 2-factor authentication should be used.
3. Is my software protected against SQL injection? If so, what methods are being used?
Injection is one of the most common types of attacks on software and it is one of the simplest to avoid. Here are the primary defenses:
Option 1: Use of Prepared Statements (with Parameterized Queries)
Option 2: Use of Stored Procedures
Option 3: White List Input Validation
Option 4: Escaping All User Supplied Input
Also: Enforcing Least Privilege
Also: Performing White List Input Validation as a Secondary Defense
4. What kind of event logging is being used and how is it monitored?
It is essential to implement event logs to detect bugs and security risks.
You do not need to involve your developer to check your current software applications. Instead, get a FREE security evaluation from Sofmen.
The actual answers your developer may give can vary greatly from these suggested responses, but they should easily be able to answer your questions and should demonstrate knowledge of the importance of security.
FREE Security Check
Take advantage of Sofmen's FREE security check. You're guaranteed to learn valuable information that you can use regardless of whether or not you hire us. We can do a review of your software without having to involve your current developer.