Announcements |   placeholder

19 - Software validation services for GÉANT community

Gerard Frankowski

Actually all software contains security vulnerabilities. To minimize their number, secure development life cycle (SDLC) should be introduced. Microsoft states ( that SDLC reduced the number of security bugs, measured by released advisories, by 45% for operating systems and 91% for database engines. Eliminating security vulnerabilities not only makes software more trustworthy, but also reduces total costs of maintaining it (IBM declares that handling the bug found after release is ca. 100 times more expensive than the one detected during design phase ( On the other hand, we see relative lack of software security services oriented towards designers and developers in European NREN communities. We would like to show the portfolio of software validation services, provided for the GÉANT community by the GN4-2 SA2T1 task (Service Transition and Software Management). We offer quality and security code audit as well as secure coding trainings (SCT) and security assessment. We will concentrate on the first three components as we directly contribute to them. Quality code audit is automatic code review completed by the code inspection (expert analysis) to examine the source code and identify: potential bugs, bad code architecture, duplicated code and similar coding irregularities. Security code audit is similar but its main goal is to detect the largest possible number of source code security vulnerabilities. Each of the aforementioned components takes its place in the SDLC. They complement each other and we have provided relevant adjustments to make them fit both to the needs of GÉANT software development teams and resource constraints. As both factors may change, as well as the overall security threat landscape, we keep the security services evolving. We believe they deserve to be presented to a broader community.