If your development group or organization has an upcoming software security assessment scheduled here are three things to think about while making your preparations.
- Assets (Dependencies) – Be sure that you have all application assets together that are needed to build the application. If the assessment will be done in your test/development area then this will probably already be in place. If, however, you are sending the application off-site to be assessed or moving it to a new server then all assets will need to be in place that are referenced by any part of your application build.Most projects collect dependencies over time. Sometimes a dependency can go undocumented and although it is in place in the development environment the asset can be missed when moving to a different environment. Missing assets can set back the schedule of an assessment and delay valuable findings. This is a good reason to keep close track of any dependencies the application has.
- Permissions (Accounts) – Be sure of what permissions will be needed by those that are performing the assessment. I have seen assessments be delayed for considerable amounts of time because of permissions.For the case of static source code analysis during an assessment take stock of the permissions required to build the application. For the case of web application penetration testing take stock of the permissions required for accessing and using the application.If the assessment is to be done “in house” then create new accounts just for the purpose of performing the assessment and grant the required permissions to the account(s). If the assessment will be performed off site then it is imperative that the required permissions be well documented.
- Build-ability – Be sure that the application is in a build-able state. This is very important when static analysis of source code is going to be performed. In order to get the maximum benefit from most analysis tools the application needs to be build-able. This insures that the tools can read the code and determine data flow and reference requirements. For maximum ease of use for most tools use a standard build tool when setting up your build process. These include make, ant, nant and msbuild.