How secure is your software development at

There are plenty of benefits to outsourcing software development, such as access to skilled developers, flexibility and scalability, cost savings, and increased speed to market. However, for many companies outsourced software development services are also associated with the concerns over the security threats and vulnerabilities. They are natural and it would be strange if they were not there. With this in mind, we have prepared this document highlighting the most important assumptions of our software development security policy.

Our security policy includes procedures related to many aspects of developing software, such as: formal organization of security management, classification and control of assets, personnel-related security, physical and environmental security, equipment security, communication and operation control, protection against malicious code, back-up, network security management, access control, privilege and password control, system development and maintenance, monitoring, vulnerability management, information security incident management, business continuity management, compliance and outsourcing. We also take advantage of Microsoft’s Secure Development Lifecycle framework as well as processes based on ISO 9001:2008.

We apply this security policy to each development project we carry out, adjusting the security level to our clients’ needs. Thus, we ensure that software development on the nearshoring basis with is secure and our clients’ information assets remain protected.

Formal organization of security management
We have a formal organization of security management at our company. It is managed by the Vice-president of the company and the IT Department Manager. The security policy is reviewed at least once a year and is updated each time when the environment changes. The policy is documented and our employees are familiar with all the security procedures. We monitor and analyze all the security alerts and information and distribute them to appropriate personnel. We also document and distribute security incident responses and escalation procedures to ensure timely and effective handling of all situations.

Classification and control of assets
For each development project we can have an updated inventory of all IT assets which are administered by us for providing services to a client or containing the client’s data. The inventory contains such data as: information assets (systems documentation, manuals), software assets (applications, systems software), physical assets (computers and network equipment, tapes and hard drives), indication who is the owner of information, software and physical assets. All assets are documented and managed by the’s IT department.

Personnel and security has procedures in place for verifying job applicants, ensuring that our staff meet our expectations with respect to their qualifications and have no criminal background. We have confidentiality agreements signed with all employees. All our staff who have access to a client’s data and/or are involved in providing services to a client have job descriptions which include security responsibilities. Our employees are familiar with our internal procedures regarding data protection and network use responsibilities. They can also receive appropriate information security training requested by a client.

Physical and environmental security
For each project we can establish secure physical areas, where access to the sites occurs via locked door/doors. We can verify via an electronic system who has had access to the site and at which time. In order to gain access to the server room/computer hall (established in an external data center where dedicated server environment can be located) one has to insert a card read in a card-reader and use a valid pin-code. The rooms where our clients’ data is processed or maintained are locked. All network jacks are placed within the office area with controlled access. All wireless access points are located in the internal area of the office, there is no access to those assets for non-employees. All gateways and routers are located in the protected server room. There are also special security procedures for handling visitors to the established secure areas.

Equipment security
We have 2 separate data centers/server rooms located in 2 different cities. If necessary, we are able to place the equipment requiring special protection in those 2 data centers/server rooms to protect it against unauthorized access. Our data centers are compliant with Tier III ANSI TIA-942 (some elements compliant with Tier IV). All server rooms are equipped with UPS (both external and internal). There are also special procedures to minimize the risk of potential threats such as theft, fire, explosives, smoke, water, dust, vibration, chemical effects, electrical supply interfaces, electromagnetic radiation, flood, as well as for equipment monitoring, review and maintenance. We also have special procedures regarding the use of removable computer media such as tapes, disks, cassettes, memory cards, to make sure they do not cause security problems.

Communication and operational procedures
We always draw up documentation for operational environments of systems containing our clients’ data. It covers network structure and architecture, backup and restore procedures, server configuration and support procedures. Our IT team has internal procedures for the set-up, maintenance and upgrades (including security patches) for all critical services. We also use SharePoint software for version management in all documents concerning operations, maintenance, regulations and agreements with a client. All our clients’ programs running on production systems are subject to strict change control.

Protection against malicious code & back-up
Antivirus software is installed on all our servers, workstations and virtual machines in the environment dedicated for the clients in order to detect and isolate or remove any viruses from computer and media. The antivirus software is also installed on gateway server to enable filtering all the traffic coming into the organization from un-trusted networks for viruses. The antivirus is updated on a constant basis. We also take advantage of back-up/ restore software and procedures to ensure that all of our clients’ essential business information is safe. Backups are stored on a dedicated Array/Server. Long-term backups are transferred to a secondary data center in a separate location.

Network security management
We take a number of steps to increase the security of our clients’ dedicated network environment. For instance, all production systems (servers and network components) are hardened by removing unnecessary services and protocols installed by the default configuration. We also change vendor-supplied defaults before installing a system on the network, as well as we develop configuration standards for all system components assuring that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Also, we use Virtual Private Networks or other encryption and hashing mechanisms to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems. All the networks in our clients’ dedicated environment (including Wi-Fi) are monitored and segregated on Microsoft ForeFront TMG. The network is additionally protected by a separate firewall, which can be configured to meet any requirements.

Access control
All access to any database containing our client’s data is authenticated. This includes access by applications, administrators and all other users. The access to system components is linked to each individual user. At a client’s request we can also take advantage of automatic computer screen locking and a password protected screensaver on our staff’s computers used in a project. Computers where an administrator is logged in are never left unattended. Also, our staff have to leave any confidential material (such as paper documents, media etc.) in a locked cabinet while unattended. We have a formal user registration and deregistration procedure for granting access to information systems and services too. Any access to our network is authenticated. Information on mobile devices (laptop, PDA, mobile phones) is encrypted. Every mobile computer with direct connectivity to the Internet has a personal firewall and antivirus software installed.

Privilege & password control
In our company the allocation and use of any privileges (administration rights) in information system environment is restricted and controlled, i.e. privileges are allocated on a need-to-use basis and only after a formal authorization process. A regular user has no administrator rights on his/her workstation. Also the allocation and reallocation of passwords is controlled through a formal management process. User access rights are reviewed at regular intervals. Those intervals depend on the server and system importance. When an employee leaves the company, all of that employee’s user accounts and passwords are immediately revoked. Their physical access to premises is terminated too.

System development & maintenance
We apply strict security rules to the development and maintenance environment while working on projects for our clients. Development and testing networks are always isolated from operational ones. All networks (critical servers, test and development, users, WiFi etc.) are deployed as separate VLANs. Tasks to be carried out in development, test and production environments are separated. There is also a framework for documenting software development work and results. We avoid using operational databases containing personal information for the test purposes. If such information is used, the data is depersonalized before use. We also remove test data, accounts, user names and passwords before applications become active or are released to customers. Also custom code is always reviewed prior to release to production in order to identify any potential coding vulnerability.

While working for our clients we constantly monitor the development environment. This includes reporting, registering and managing faults in information systems. We also have procedures for monitoring the performance of information systems as well as automated audit trails for all system components to reconstruct such events as all user accesses to data, all actions taken by any individual with root or administrative privileges, access to all audit trails, invalid logical access attempts. For these purposes we use standard built-in mechanisms as implemented by system software vendors (for example Windows Server, Active Directory etc.). We also monitor the capacity demands and make future capacity requirement projections on a regular basis.

Vulnerability management
Once a year we test the security controls, limitations, network connections and restrictions of our clients’ dedicated environment to assure the ability to adequately identify and to stop any unauthorized access attempts. We also run internal and external network vulnerability scans at least quarterly and after any significant change in the network. We perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification too. We use built-in mechanisms in Microsoft TMG and some 3rd party monitoring software to monitor all network traffic and alert personnel to suspected compromises.

Information security incident management
We have a formal procedure for reporting security incidents through appropriate management channels as well as an incident management procedure for responding to and handling security incidents. The procedures are based on ISO 9001:2008. All security incidents at are followed up and evaluated in a written report. We also have procedures for reporting any software malfunctions (internal support procedures and helpdesk systems).

Business continuity management has a managed process in place for developing and maintaining business continuity throughout the organization. The process includes an organization-wide business continuity plan, regular testing and updating of the plan, formulating and documenting a business continuity strategy. We also have a formal process for some of the key risk factors, including computer system backup and redundancy, user management, access to bank accounts, ability to recover business activities at a different site. We also have a strategy plan developed to restore business operations (such as backup recovery, usage of critical passwords for restoring services, restoring critical internal applications) within the required time frame following an interruption or failure of business processes.

Compliance and outsourcing
We can ensure compliance to even the most rigid security requirements requested by our clients. We also have procedures compliant with the Polish law to protect personal information. With respect to outsourcing the work to the 3rd parties, we are responsible for ensuring that all sub-contractors and consultants who work with our clients’ data and/or systems have signed a confidentiality agreement which includes contractual confidentiality requirements. We use sub-contractors for providing contractual services for our clients only upon prior written consent from our clients.