Information Security Best Practices: 205 Basic Rules

Section 13: Software Validation and Verification Rules

Evaluating all software installed on an organization's computers can be a major security plus, if done correctly. This section offers several basic rules for validating and verifying software.

IN FOSEC Best Practice #147

Perform a security validation and verification procedure on all mission-critical custom software to be deployed on the network.

For mission-critical custom applications, perform application security validation and verification (V&V). Check for back doors, error handling, illegal termination, system function calls, kernel mode operations, access control, malicious code and monitoring code (used for eavesdropping and condition checking in order to activate malicious code). This is a costly process that is done beyond regular V&V and must be done for those applications that will be processing very sensitive data.

INFOSEC Best Practice #148

Remove all source code, compilers and linkers from mission-critical systems.

By removing all source code, compilers, and linkers from the system on which the application is running, a hacker will not be able to make modifications to the application.

INFOSEC Best Practice #149

Vendor supplied Commercial-Off-The-Shelf software must be evaluated for its impact on the security of mission-critical systems.

In larger organizations it is cost effective to do this once for a product and share the information with the community of potential users. This evaluation would involve hands-on testing of the product from a security perspective. Smaller companies, however, are forced to use third-party evaluations from testing labs or technical publications not affiliated with any of the vendors.

INFOSEC Best Practice #150

Evaluate software developed by...