Secure EventTracker

Security is a process, not a project

At EventTracker, we are always mindful of the trust that our customers place in us by installing and using our products. As part of our commitment, we are constantly reviewing our internal process and procedures during all phases of the engagement from the IT Security viewpoint. In the development phase, we follow the Security Development Lifecycle; an independent testing team uses standards based test cases and well known test tools. In the deployment phase, we provide detailed guidance on hardening the underlying platform and the EventTracker installation itself. In the maintenance phase, we ensure that patching and updates are subject to the same rigorous testing.

 

Development

Development

  • Adopt development security tools
  • Mandatory input validation for all untrusted inputs with a definable format, length, type and range. Otherwise, we mitigate risk with some other remediation depending on the risk (parameterized stored procedures, encoding, etc.)
  • Data encoding for all untrusted inputs using standard libraries
  • Enforce automated banned API replacement
  • Generic exception handling to help prevent information disclosure attacks
  • Self-code review using expert manual techniques and automated code analysis tools

Design

Design

  • Minimize default attack surface/Enable least privilege
  • Consider a Defense-in-depth approach
  • Consider past vulnerabilities
  • Deprecate outdated functionality
  • Enforce a secure default installation

Deployment

Deployment

  • Least privilege deployment for both front and backend services
  • Reduced attack surface deployment
  • Automatic session expiration after a certain period of inactivity

Verification

Verification

  • Perform vulnerability assessment and penetration testing
  • Re-evaluate the attack surface of the software

Release & Maintenance

Maintenance

  • Ensure product team evaluates the severity of security bugs consistently
  • Disable tracing and debugging before Deploying ASP.NET Applications
  • Regularly perform vulnerability scanning using proprietary, commercial and open-source tools