SDLC. Cybereason’s SDLC process includes security team as a stake holder. • The security team is involved in all R&D plans, in the various phases of the SDLC – setting requirement, designing, reviewing coding procedures and testing. • The inputs into the SDLC process are based on threat modeling for each relevant component and feature, and a risk assessment based on the threat model. • The guidelines followed by at Cybereason are based on OWASP guides. • Code review is done both manually by an engineer and automatically using a source code analysis tool run by the security team.
SDLC. Which of the following requirements are implemented concerning Software Development LifeCycle (SDLC)? ☐ The app only depends on up-to-date connectivity and security libraries. HIGH Mobile-ASVS-05.06.0 ☐ The app is signed and provisioned with valid certificate. MEDIUM Mobile-ASVS-07.01.0 ☐ The app is built in release mode, with settings appropriate for a release build (e.g. non-debuggable). MEDIUM Mobile-ASVS-07.02.0 ☐ Debugging symbols are removed from native binaries. MEDIUM Mobile-ASVS-07.03.0 ☐ Debugging code are removed, and the app does not log verbose errors or debugging messages. MEDIUM Mobile-ASVS-07.04.0 ☐ The app catches and handles possible exceptions. MEDIUM Mobile-ASVS-07.06.0 ☐ In unmanaged code, memory is allocated, freed and used securely. MEDIUM Mobile-ASVS-07.08.0 ☐ Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated. MEDIUM Mobile-ASVS-07.09.0
SDLC. All píod"cts/scí:iccs dc:clopcd bQ Kaíktíacc aíc dcsig⭲cd witk tkc pkilosopkQ or scc"íitQ bQ dcsig⭲. ľcsti⭲g is caííicd o"t at all stagcs or dc:clopmc⭲t. Opc⭲-Souícc Codc PolicQ All opc⭲ so"ícc "sagc, wkctkcí tkc opc⭲ so"ícc is "scd i⭲tcí⭲allQ, as xxxx or tkc Compa⭲Q’s píod"cts, oí as xxxx or a wcb scí:icc, ⭲ccds to bc íc:icwcd tkío"gk tkc OSS appío:al píoccss. I⭲ oídcí to kclp Kaíktíacc ackic:c its OSS objccti:cs, Kaíktíacc kas appoi⭲tcd tkc positio⭲ or OSS Complia⭲cc Orriccí (OSSCO). ľkc OSSCO will bc tkc riíst li⭲c or s"ppoít roí tkc dc:clopmc⭲t comm"⭲itQ witki⭲ tkc Compa⭲Q o⭲ q"cstio⭲s aío"⭲d OSS. Vul⭲cíabilitQ Ma⭲agcmc⭲t ľkc Kc:/Ops tcam will kccp tkcmscl:cs i⭲roímcd or scc"íitQ ⭲otiricatio⭲s roí a⭲Q "⭲dcílQi⭲g libíaíics a⭲d platroíms a⭲d will p"sk o"t patckcs as xxxx or tkc ícg"laí píod"ct "pdatcs. PQtko⭲ a⭲d NPM scc"íitQ tools aíc also "scd roí a"tomatcd a"diti⭲g or scc"íitQ :"l⭲cíabilitics. Pc⭲ctíatio⭲ ľcst MctkodologQ A r"ll pc⭲ctíatio⭲ tcst bQ a s"itablQ compctc⭲t spccialist is co⭲d"ctcd bcroíc cack majoí :císio⭲ íclcasc oí a⭲⭲"allQ, wkickc:cí occ"ís riíst. S"ck a tcst will i⭲cl"dc :"l⭲cíabilitQ sca⭲⭲i⭲g a⭲d skillcd ma⭲"al attacks at all lc:cls or tkc ľCP/IP stack i⭲cl"di⭲g tkc Wcb applicatio⭲ a⭲d SSH scí:cí. ľcsts aíc co⭲d"ctcd i⭲itiallQ xxxxx"t a :alid cícdc⭲tial a⭲d tkc⭲ witk a cícdc⭲tial roí tkc Wcb applicatio⭲. Rcsults a⭲d Rcmcdiatio⭲ Rcs"lts aíc pícsc⭲tcd i⭲ dcscc⭲di⭲g oídcí or sc:cíitQ "si⭲g a íccog⭲iscd, i⭲d"stíQ sta⭲daíd scoíi⭲g sQstcm s"ck as CVSS. Ii⭲di⭲gs or a sc:cíitQ or CRIľICAḺ oí HIGH (»= 7) will bc rixcd a⭲d tkc complctc tcst will bc ícpcatcd "⭲til ⭲o s"ck ri⭲di⭲gs ícmai⭲ bcroíc tkc :císio⭲ is íclcascd to c"stomcís. MEKIUM (»= 4) ri⭲di⭲gs will bc addícsscd bQ a⭲ a"tomatic "pdatc dcploQcd to c"stomcís witki⭲ «0 daQs. ḺOW (» 4) ri⭲di⭲gs will bc addícsscd bcroíc tkc ⭲cxt majoí íclcasc.
