Security

More and more services are being provided via the cloud today. But while the cloud offers numerous advantages, such as scalability, flexibility and a reduced IT administration effort, it also raises security issues - both for the cloud provider and the using companies. Therefore, the shared responsibility model is often used in cloud computing. This means that both parties, i.e. cloud provider and customer, share the responsibility for cloud security.

As part of the "Code Analysis of Open Source Software" (CAOS) project of the German Federal Office for Information Security (BSI), the program code of common open source projects was examined for vulnerabilities. Security experts from mgm were allowed to support the BSI in this. The aim of the investigations were two video conferencing systems and two eID templates, which are intended to help increase the security of open source software with the help of vulnerability analysis. The results of the CAOS project were published in summer 2023.

While low-code approaches are becoming increasingly popular, security aspects are also drawing more attention. The OWASP Low Code/No-Code Top 10 was recently published as a list of the most common security risks that organizations should be aware of when developing and deploying low-code applications. We summarize to what extent the points affect A12 applications.

In a streamlined software development process, quality assurance becomes vulnerable when challenges and risks increase. These put a strain on time and resources and reduce quality. Addressing these aspects is essential, especially in terms of product quality, time and resources.

In threat modeling, various methods can be obtain an overall picture of an application's vulnerabilities and the various mitigation measures. Almost all available methods are based on the fact that a digital system is first designed by its architecture. This usually includes all known components within an application or IT system, how they are interconnected, and where trust boundaries lie. Early decisions about the architecture can therefore have a major impact.

In the field of security of web applications and mobile apps, threat modeling is a method that can be considered primarily as a means of performing deliberate risk management. There are many ways to identify and assess threats. Although the techniques differ: The basic principle is always to use them to identify the risks to an application or IT system and, more importantly, to agree on what those risks are.

mgm will be present at the Software Quality Days from May 23 to 25, 2023 with strong participation in presentations in the disciplines "DevSecOps" and "Quality Assurance Accompanying Development" as well as an information booth.

After around a year of preparation, planning and implementation, mgm technology partners is now an ISO/IEC-27001-certified company. For this, the key information security risks were identified, protective measures were defined and monitoring processes were drawn up.

News about successful attacks on applications and companies is no longer a rarity these days.

The ii-magazine offers well-founded and practical insights into digital transformation - now also on its own website. Join the community: we welcome guest authors!