How the AMANDA Case Management System gives public sector CIOs peace of mind when it comes to security.

11 November 2016,

Local and city governments embrace cloud technology to enable faster decisions, improve internal workflows, reduce resources, slash administration budgets, and provide 24/7 citizen services.

How the AMANDA Case Management System gives public sector CIOs peace of mind when it comes to security.

But with more and more of the technology moving outside local government-owned data centers and into the public or private cloud, the security threat is getting very real.

in a variety of industries, just add to the anxiety and diffidence of CIOs in the Public Sector regarding the shift to the Cloud.

According to a KPMG survey in 2014, on [DCAP], the exponential growth in data generation and its use makes current methods of data security obsolete. It recommends significant changes in both architecture and solution approaches.

The report cites 2 problems related to security.
  1. Companies lack coordinated data-centric security policies and management across their data silos. This results in data policy implementation and enforcement that are not consistent.
  2. Data cannot be constrained to storage silos but needs to be accessible by business processes across multiple structured and unstructured silos on-premises, or in public clouds.

It is against this background that we explore how AMANDA 7, declared the best municipal case management system in an independent research, tackles security.

The nice part is that AMANDA offers an integrated system for effectively managing workflows in permits, licenses, compliance, freedom of information, and court and jury management all within the same system.

This means that traditional silos of information are handled beautifully within AMANDA. The case management system works with multiple departments and agencies and provides them centralized data operations based on granular permissions configured into the system.

Next, we need to understand the security protocols as well as the security vulnerabilities in application software development and what AMANDA does to secure itself.

The , lists out the security concepts that should be included in every project.

They are ordered by order of importance, with control number 1 being the most important.
  1. Verify for Security Early and Often
  2. Parameterized Queries
  3. Encode Data
  4. Validate All Inputs
  5. Implement Identity and Authentication Controls
  6. Implement Appropriate Access Controls
  7. Protect Data
  8. Implement Logging and Intrusion Detection
  9. Leverage Security Frameworks and Libraries
  10. Handle Errors and Exceptions

 

This protocol for security has arisen from the common security issues and surveyed by OWASP.

These are:
  1. Injection
  2. Broken Authentication and Session Management
  3. Cross Site Scripting
  4. Insecure Direct Object References
  5. Security Miss Configuration
  6. Sensitive Data Exposure
  7. Missing Functional Level Access Control
  8. Cross Site Request Forgery
  9. Using Component With Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

 

With the reported data breaches, known problems in application software development and the defined protocols for testing, AMANDA users need to know how this affects the software they use and how rigorous the testing standards for AMANDA are.

It will reassure them that the software they buy measures up well to vulnerabilities and the highest testing standards in the business.

So how does AMANDA tackle security?

It would be heartening for government CIOs to note that AMANDA adheres to OWASP top 10 Vulnerabilities. Compliance verification is encoded as part of its Product Development Lifecycle.

What’s more, OWASP tools such as , , , are used at different stages of the testing lifecycle to ensure that all vulnerabilities are tested.

There’s more to the security practices followed by AMANDA.

3 ways in which AMANDA 7 gives you peace of mind.
  1. It follows secure coding guidelines
  2. It employs several tools to determine security issues
  3. You test the solution once again before you go-live

Let’s look at how each of these is implemented in AMANDA 7.


It follows secure coding guidelines

AMANDA Secure coding guidelines ensure developers adhere to the security standards to avoid any leaks at the code level during runtime.

Vulnerabilities due to application error messages, runtime stack trace, web services fault strings are not thrown to the users whenever a fault request is being sent to the Application.

Injections such as uploading vulnerable files, queries injected as form inputs, etc, are not processed and blocked from being sent to the server.

The AMANDA environment has tools like , and to validate the code for security at build stage.

AMANDA architecture enforces security at different layers of the application and developers ensure that secure design and coding is not broken during functional implementation.

AMANDA has a cryptographic module which enforces application security rules and methods such as : AES, HMAC, SHA-1 with a combination of other algorithms for data encryption.

  1. Test at the Design and Coding Stage: Unit testing of Coding Vulnerabilities like XSS, buffer overflow, format string, Random Number generation using source code analysis tools, secure code review
  2. Test at Release: AMANDA security testing is performed on QA and release environment by scanning the Application for OWASP top 10 Vulnerabilities.

    Security scan tools are configured and scheduled to run every successful QA and release builds, in addition.

    Manual verification of sensitive information loss is performed on different modules in AMANDA.

    QA environments are scanned.

Security awareness sessions are conducted, each quarter, with the CSDC Systems’ development and testing teams.

The latest vulnerabilities and security standards are shared and discussed threadbare with action points for the team.

 

Reports and graphs can be generated to view the vulnerabilities at application, server, browser, etc. Organizations can create their own trust and severity level for each vulnerability based on the infrastructure setup, nature of the business they are into, map the vulnerabilities to their day to day operations with their AMANDA solutions.

It employs multiple tools to determine security issues

AMANDA security test cases are derived from OWASP, FIPS, and programming language specific potential vulnerabilities.

Security profiles with different threshold limits for browser cluster, audit, URL checks, request concurrency, sub-domain inclusions, etc, are created for each module in AMANDA and during scanning, these profiles are applied.

We partner with 3rd party labs for certification of any major release of the product.

You test the solution once more before you take it live

CSDC customers test the AMANDA solutions for vulnerabilities during the implementation stage and work with CSDC client services team to ensure AMANDA is secure in customer environments.

Customers use tools like , etc.

AMANDA 7 gives you peace of mind

Security is built into the architecture of AMANDA. Testing is factored into each level of design and coding. Multiple tools are used to detect vulnerabilities.

AMANDA complies with the stringent OWASP Security rules. What’s more, the quarterly security training refreshes for development teams ensure that the latest vulnerabilities are factored into the system build. And finally, our customers are encouraged to test and report as well.

All this ensures that the integrated system you buy for Permits, Licenses, Code Enforcement, Compliance, FOIA Management and more, are secured well to bring peace of mind to local government CIOs.

Little wonder that AMANDA 7 has been rated by independent research as the .

Download a FREE PDF of this blog here

Join over 20,000 of your peers - CIOs and government officials.

Get deep insights into Case Management Technology for Governments, delivered straight into your inbox every month.

Wish to know more? Check out  by .