Secure development

BSI IT-Grundschutz 2023 sections covered by this page
  • CON.8
  • APP.3.1

Best-practices

Industry best practices and regulatory requirements are used to create guidelines for engineering teams, covering the supply chain, source control, build process, development environments, testing and change management. Teams adopt those guidelines and adjust them to their specific line of work and their needs. Internal audits make sure that the intention of policy and guidelines are met in practice. SLSAopen in new window is used to assess the maturity of secure software development efforts.

Static Application Security Testing (SAST)

OX uses Coverity as the main SAST tool (https://www.coverity.com/open in new window), which detects functional and security-related issues in code at compile time, and allows developers to quickly investigate potential bugs, errors or issues in their code.

Coverity analysis is performed on a daily basis as part of the CI/CD environment, and code analysis looks for all quality and security-related issues in committed code. Issues raised by Coverity are triaged and, if required, fixed, before the code is released. Coverity analyses both Java and Javascript code.

Similarly to Coverity, FindBugs is used to detect functional and security-related issues in Java code at compile time.

Infrastructure as Code (IaC)

Check Point CloudGuard (formerly: SpectralOps) is used to scan for secrets (e.g. API tokens, passwords, private keys) at the source code. It also detects IaC related misconfiguration (e.g. Teraform, Helm) and reports them to the development teams. This is enabled for all components and runs daily.

Software Composition Analysis (SCA)

Similar to most software written today, OX App Suite relies on third-party open-source software components. We address the following risks by performing SCA on our source-code and artifacts:

  • Security Vulnerabilities – The third-party software may have security vulnerabilities, which may or may not be known about when the third-party component is selected and implemented. Understanding vulnerabilities in the third-party components that OX App Suite depends on is vital to integrate solutions for them.
  • License Issues – Understanding license requirements of third-party components ensures that OX App Suite remains in compliance with those licenses terms.

OX uses Synopsys Black Duck Hub as SCA solution (https://www.blackducksoftware.com/products/hubopen in new window) to scan all OX App Suite components for third-party license, security and operational risks, and mitigates appropriately.