The Control Policy Group

The biggest bugs are hiding in the system integration interfaces your integration team glued on the day before delivery. They go home, you get fired.

Perhaps you have been in this situation before:

You’re a CIO/VP IT/IT manager and you’re preparing to implement a packaged business application – for example a new CRM system. Something in the back of your mind says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first). What should you do?

• First inspect and penetration-test the system using black-box testing.
• Then, using white-box testing – assess infrastructure components, database interfaces and Web applications for vulnerabilities using our Legacy Risk Analysis Loop technique.
• We will help you identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
• We can go in and perform an onsite audit of the vendor secure software development practices during your RFP/RFI/pre-purchase stages.

This process helps give your organization a much better picture of software defects  before you send the vendor the purchase order. Our Web collaboration tool supports continuous risk analysis and management with two main applications: a knowledge base and issue tracker:

The database of standard CVSS scores for components and CLASP problem types classifications is always available for the entire organization. Users can add new entities and modify scores as the business environment changes. By using an  issue tracker you can see a:

• A consistent thread of requests, changes and open action items during the risk analysis process and in particular in the Validate findings step
• An Updated implementation status of countermeasures.
• Real-time status tracking where unlike email, issues cannot get lost or be ignored!