Secure Development

Security begins at conception and should never be an after-thought. Key to this is Sophos’ activity-based Secure Development Lifecycle (SDL). The SDL procedurally enforces industry-leading best practices throughout the entirety of a product’s development.

The SDL also requires that all product development teams have an embedded security advocate and expert that drives these activities within their team. Below are a number of those activities with a brief explanation.

The purpose of each activity is to identify areas of risk before a product is released. This maximises the total possible time that an engineering team can have to address issues long before shipping products and services to customers.

Secure Coding

To guard against, and significantly reduce, accidental introduction of software vulnerabilities, engineers are trained to identify and avoid insecure coding practices and design patterns, leveraging more resilient designs in their place.

Vulnerability Dependency Framework

Where code from third-parties, such as open source software, is leveraged in products, each team maintains a list of third-party dependencies within a framework that automatically alerts the team if a CVE is published. This ensures the teams can produce and release a patch as quickly as possible in the event a vulnerability is found within third-party code.

Threat Modeling

Systematic analysis of any design or implementation of a system or component is performed from the perspective of a probable attacker. Threats are identified by looking at the avenues an attacker would take, what they would recognize as weaknesses, and what methods they would use to exploit it. A level of risk is assigned to each threat, enabling them to be prioritized, so that appropriate controls, mitigations, or redesigns can be put in place.

Static Analysis

Automated tools are used to analyse the source code, quickly highlighting any coding errors, vulnerabilities, flawed or weak design patterns. In addition to automated tools, we practice pair programming with human code reviews and peer reviews during the development cycle.

Internal Security Test Plans

An extensive test plan is developed by every team working on a system or component. This plan covers both white-box and black-box testing; unit, integration, and system tests; code coverage, functional testing, fuzzing, use case testing, and more.

External Security Testing

We regularly have reputable, external testers or penetration testers conduct white-box testing of our codebase to identify threats we haven’t found.

Vulnerability Response Plan

In the event that a vulnerability is found within our products, either via internal testing, external testing, or via our bug-bounty program, procedures are followed to rapidly respond to any vulnerability and a patch or update can be promptly developed, quality assured, and released.

Secure Code Signing

In addition to signing executables, which is common for endpoint software, in Sophos Central, we leverage code signing prior to deployment to customer-facing systems, to guarantee that no code modifications or corruptions occur after being signed. This ensures our quality assured code is the same code customers receive and use.