Application Security, Guaranteeing the Integrity, Authenticity and Confidentiality of customer Data

Application Security, Guaranteeing the Integrity, Authenticity and Confidentiality of customer Data

Today, software solutions available on the Internet have increasingly sophisticated architectures, naturally exposing them to a larger attack surface.

Gartner studies show that more than 80% of attacks directly target the applications themselves. For example, it was an SQL injection that resulted in the data theft of several million players at Sony a few years ago; or even a simple URL modification that had the same effect on the Citibank site

It is therefore important, in addition to the protection carried out on the network infrastructures, to also ensure the application security of software solutions.

Veracode, the Security Partner of QAD DynaSys

The WEB QAD DynaSys offer is expanding by the regular addition of internal components developed by R&D, but also by the integration of third-party components ready to use. In addition, the QAD DynaSys WEB offer is available to users on the public Internet.

Since it is important for us to continue offering our customers always more functionalities within our solution, it is also essential, in order to guarantee the integrity, the authenticity, the availability, and the confidentiality of the data, that the application security occupies a prominent place in our development cycle.

For several years, QAD DynaSys has been supported by a security specialist, Veracode, and adheres to the “Veracode Verified Standard” program. Founded in 2006, Veracode is an application security company and provides an SaaS application security solution that integrates

application analysis into development pipelines. Veracode provides multiple security analysis technologies on a single platform, including static analysis (or white-box testing), dynamic analysis (or black-box testing), and software composition analysis.

The company serves over 2,500 customers worldwide and, as of February 2021, has assessed over 25 trillion lines of code.

Hired in 2015 by QAD DynaSys as a web architect, my position gradually evolved into that of a Windows devOPS engineer as well as applications security manager. Veracode supports me on a daily basis in this constantly evolving challenge.

The daily work carried out by our R&D team in the context of application security today allows QAD DynaSys to be certified by Veracode.

This certification allows us to guarantee our customers of our constant commitment to a well-established safety process.

A Security Unit at QAD DynaSys

In order for the Veracode security program to run smoothly, a specialized unit has been created at QAD.

My role, within this unit, is multifaceted. Initially, we aim to respect the process of the program itself. It is vital to ensure that Veracode static and dynamic (SAST and DAST) scans are performed regularly, and that vulnerabilities are trackable and their remediation as high as possible.

My objective is also to identify any vulnerabilities detected within the application and to communicate them to the development teams so that they can be corrected in accordance with a resolution schedule depending on the severity of the problem flaw detected.

Among the vulnerabilities sought by Veracode scan modules, we find in particular those belonging to the official programs OWASP 2017 Top 10 and Sans Top 25, which are the subject of special attention.

Finally, Veracode helps me in understanding application security, and the most recognized flaws, in order to help developers adopt good security practices as early as possible in the development chain.

This paradigm, known by the name of “Security by Design”, aims to integrate security into application development from the design phase by evaluating the risk and the necessary controls to be put in place in order to become as proactive as possible and no longer reactive to security issues.

In addition to the use of Veracode, regular scans of all servers are done by different means as part of our certification standards.

Application security, a daily struggle

When it comes to security, there is no such thing as zero risk, and vigilance should never be compromised. We have understood this clearly at QAD DynaSys and the efforts carried out internally on this subject allow us today to be Veracode certified, to fully understand the challenges of application security, and to be more proactive in our development cycle. Application security is, and will remain, at QAD DynaSys a high-priority subject, so that our customers can work with our applications with total peace of mind.

Olivier Pflieger
Olivier joined QAD DynaSys in 2015 as a web architect. His position gradually evolved into Windows devOPS engineer as well as applications security manager. Married and father of a son, he enjoys music, mountain sports and he is also a rock climbing and skiing instructor.