MinSec Check: Applications: Secure Software Development

[akkornel]

In MinSec for Applications, the Secure Software Development item has the following:

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.

I guess we can ask Globus what they do in this area. The Security page should also help, once that's done!

[akkornel]

I asked ISO about this in SNOW RITM00078622, and here is what I noted from the response: For Secure Software Development, the expectation is that the group developing the software will include security in their software development lifecycle. The third party should have some sort of lifecycle published. That includes (but is not limited to) things like input sanitization, using modern languages and frameworks. It is a very open-ended answer, and it's more about seeing that the developer (or their group/company) is actually doing something, rather than not doing anything.

So, I have opened Globus support ticket 345850 to find out!

[akkornel]

Globus have gotten back to me, and have provided a document that (I believe) addresses this point. For SRCC people, the document is in our Team Drive (sorry, Shared Drive, or whatever it's called now).

So, closing!