Secure engineering practices
Security is built into UNICOM Intelligence throughout the development and testing process. UNICOM Intelligence development follows the IBM Secure Engineering Practices, as documented in the IBM Secure Engineering Framework (because it used to be developed by IBM, under the name “IBM SPSS Data Collection & SPSS Dimensions”). These practices include:
▪education and awareness
▪project planning
▪risk assessment and thread modeling
▪security requirements
▪secure coding
▪test and vulnerability assessment
▪documentation
▪incident response
▪security and privacy by design.
Development
The internal secure coding guidelines for UNICOM Intelligence are based Microsoft’s Secure Coding guide and the OWASP Secure Coding Practices. These guidelines include:
▪secure by design
▪input validation
▪output encoding
▪authentication and password management
▪session management
▪access control
▪cryptographic practices
▪error handling and logging
▪data protection
▪least privilege
▪communication security
▪system configuration
▪database security
▪file management
▪memory management
▪general coding practices.
Testing overview
The UNICOM Intelligence QA team develops tests to verify functional operation in accordance with the requirements and design of the product. The levels of testing include:
▪Unit tests to verify that a software element performs as designed in isolation. These are typically performed by the developer and by automation.
▪Functional tests to verify that the overall requirements are met. This includes tests on different operating systems including different language installations.
▪Regression test to verify that no issues have been introduced. Regression testing includes automated user scenarios.
▪Security tests to verify that no security vulnerabilities have been introduced
▪Performance tests to check and document system performance under load
▪Stability testing to test memory and CPU usage of a running system over time
▪Scalability to compare performance of different cluster sizes.
Security testing
Security testing is performed for each major release and, based on a risk assessment, security testing is also performed for fix packs and interim fixes. Testing includes, but is not limited to, the following items:
▪Suppressing server filed in HTTP headers.
▪File directories on web server are not accessible to users.
▪Source code of server-side executables and scripts cannot be viewed by the browser.
▪Source code of client-site scripts do not contain unnecessary information.
▪Server-side executable and scripts are checked for potential vulnerabilities.
Security testing comprises dynamic testing, source code scans, and manual tests. All testing performed during development and test covers all UNICOM Systems, Inc.‑developed code, third party code, and Open Source Software (OSS) that is in the products.
Security testing comprises:
▪Security AppScan dynamic testing
▪Security AppScan source testing
▪Manual and 3rd party testing, which includes: threat model created and tested; security self-assessment completed and filed; and independent third party security assessment and penetration testing.
Open source software and third party software patch process
UNICOM Systems, Inc. subscribes to security advisories for third party and open source software that is used in UNICOM Intelligence, including, but not limited to, the Microsoft Technical Security Notification Service and IBM Security Bulletins (PSIRT).
When a security vulnerability is identified in third party or open source software, the UNICOM Intelligence source code is updated, and then an interim fix is created. Based on a risk assessment, security testing is performed against the interim fix, and then a proactive support notification is sent to customers.