· All main development environments, through focused checklists:
● …and more
· Focused checklists containing instructions constructed from:
● Display of the instruction
● Explanation of the exposure it represents in the application
● Recommendations for repair
● Realization using a code
· Internal Web system with a user-friendly interface
· NTLM identification vis-à-vis the active directory
· Powerful encryption of the saved information
· Full compliance with all existing regulations, ensured by meeting all development standards
· Production of reports detailing compliance or non-compliance with the regulations relevant to the project, also including:
● An executive summary
● Graphs and statistics, presented in various cross sections
● Indication of the nature of the irregularity's deviation from the development standard
● Grading of the severity of the irregularity, in accordance with responses to the checklists
● Details of the developers' responses to the checklists (executed; not executed; being dealt with; or comments written during the development process in relation to a specific question)
· Launching a new project
● Selecting the development environment relevant to the project
● Displaying the project's distribution list
● Selecting the regulation relevant to the project
· Friendly and efficient user management
● Basic developer authorizations
● Broad administrator authorizations
● User editing (addition, deletion, editing)
· Updating internal procedures in developers' checklists
· Updating changes in regulations
· The possibility of adding documents (characterization documents, administrators' instructions, etc.)
· Printing of an information security status report at any stage
· Administrator interface with preview data
1. Launching a project
· The developer receives the log-in details to the system, and can then launch a project him/herself, or via the Development Manager.
· The user will be given the option of choosing support in the relevant development environment. The system supports numerous development environments, including JAVA, C++, C, .NET, ASP, ASP.NET, PHP; other languages may also be requested.
· The system will display a project that includes checklists matching the project launch form and will commence the provision of support services to the developer.
2. Managing a project
· The system allows to manage all the users involved in the project – from developers granted authorizations to team leaders, Project Managers, Development Managers, the Information Security Department, the QA Manager and the organization's senior management.
● Developers: basic authorization.
● Team Leader: basic authorization + observation of all modules for which the leader is responsible.
● Development Manager: basic authorization + observation of all modules + sending comments.
● Project Manager: full authorization (observation, sending comments, editing users, managing reports – including printing interim reports to determine the status of compliance with development procedures).
● Information security: external authorization (observation, sending comments to users).
● QA Manager: full authorization (all elements available in the system).
● Management: reports authorization (observation and printing of interim reports).
· Sec2Code includes the possibility of adding new procedures or instructions to the checklists, by:
● The system's users in the organization (users having the proper authorization);
● BugSec (within the framework of quarterly or immediate updates).
Compliance with procedures and standards
Sec2Code contains checklists of secure development procedures that the developers are required to comply with, divided into stages:
* Stage 1: ensuring that the developer is aware of the procedures.
* Stage 2: a detailed explanation of the technological implications of non-compliance with the standard.
* Stage 3: recommendations for correct writing.
* Stage 4: realization, with the help of a relevant example of a code.
* Stage 5: the possibility of sending instructions or comments to a distribution list that includes additional programmers involved in the project, Development Team Leaders, Development Managers, Project Managers and the Information Security Department, for the purpose of providing responses to problems online.
* Stage 6: the possibility of sending instructions to BugSec's Help Desk for the purpose of consulting with a professional staff member specializing in information security and compliance with standards.
Response to checklists will result in compliance with the information security standards relevant to the organization (HIPAA, PCI SOX, BASEL II, instructions 357, 257, etc.). In the event that a response is not provided for several instructions in the checklists, the system will report a deviation from the standard. The report will include statistical data such as charts, a consolidation of replies, distribution into percentages, details concerning the deviations, etc.
Any change in the Information security standards will be updated into the system in the organization's own configuration, or as part of quarterly updates provided by BugSec's R&D team.