According to a KPMG survey in 2014, on data-centric audit and protection [DCAP], the exponential growth in data generation and its use makes current methods of data security obsolete. It recommends significant changes in both architecture and solution approaches.
The report cites 2 problems related to security.
Companies lack coordinated data-centric security policies and management across their data silos. This results in data policy implementation and enforcement that are not consistent.
Data cannot be constrained to storage silos but needs to be accessible by business processes across multiple structured and unstructured silos on-premises, or in public clouds.
It is against this background that we explore how AMANDA 7, declared the best municipal case management system in an independent research, tackles security.
The nice part is that AMANDA offers an integrated system for effectively managing workflows in permits, licenses, compliance, freedom of information, and court and jury management all within the same system.
This means that traditional silos of information are handled beautifully within AMANDA. The case management system works with multiple departments and agencies and provides them centralized data operations based on granular permissions configured into the system.
Next, we need to understand the security protocols as well as the security vulnerabilities in application software development and what AMANDA does to secure itself.
With the reported data breaches, known problems in application software development and the defined protocols for testing, AMANDA users need to know how this affects the software they use and how rigorous the testing standards for AMANDA are.
It will reassure them that the software they buy measures up well to vulnerabilities and the highest testing standards in the business.
So how does AMANDA tackle security?
It would be heartening for government CIOs to note that AMANDA adheres to OWASP top 10 Vulnerabilities. Compliance verification is encoded as part of its Product Development Lifecycle.
What’s more, OWASP tools such as IBM AppScan, Arachni, Burpsuite, SOAP UI are used at different stages of the testing lifecycle to ensure that all vulnerabilities are tested.
There’s more to the security practices followed by AMANDA.
3 ways in which AMANDA 7 gives you peace of mind.
It follows secure coding guidelines
It employs several tools to determine security issues
You test the solution once again before you go-live
Let’s look at how each of these is implemented in AMANDA 7.
It follows secure coding guidelines
AMANDA Secure coding guidelines ensure developers adhere to the security standards to avoid any leaks at the code level during runtime.
Vulnerabilities due to application error messages, runtime stack trace, web services fault strings are not thrown to the users whenever a fault request is being sent to the Application.
Injections such as uploading vulnerable files, queries injected as form inputs, etc, are not processed and blocked from being sent to the server.
The AMANDA environment has tools like SonarQube, and FindBugs to validate the code for security at build stage.
AMANDA architecture enforces security at different layers of the application and developers ensure that secure design and coding is not broken during functional implementation.
AMANDA has a cryptographic module which enforces application security rules and methods such as FIPS-approved algorithms: AES, HMAC, SHA-1 with a combination of other algorithms for data encryption.
Test at the Design and Coding Stage: Unit testing of Coding Vulnerabilities like XSS, buffer overflow, format string, Random Number generation using source code analysis tools, secure code review
Test at Release: AMANDA security testing is performed on QA and release environment by scanning the Application for OWASP top 10 Vulnerabilities.
Security scan tools are configured and scheduled to run every successful QA and release builds, in addition.
Manual verification of sensitive information loss is performed on different modules in AMANDA.
QA environments are scanned.
Security awareness sessions are conducted, each quarter, with the CSDC Systems’ development and testing teams.
The latest vulnerabilities and security standards are shared and discussed threadbare with action points for the team.
Reports and graphs can be generated to view the vulnerabilities at application, server, browser, etc. Organizations can create their own trust and severity level for each vulnerability based on the infrastructure setup, nature of the business they are into, map the vulnerabilities to their day to day operations with their AMANDA solutions.
It employs multiple tools to determine security issues
AMANDA security test cases are derived from OWASP, FIPS, and programming language specific potential vulnerabilities.
Security profiles with different threshold limits for browser cluster, audit, URL checks, request concurrency, sub-domain inclusions, etc, are created for each module in AMANDA and during scanning, these profiles are applied.
We partner with 3rd party labs for certification of any major release of the product.
You test the solution once more before you take it live
CSDC customers test the AMANDA solutions for vulnerabilities during the implementation stage and work with CSDC client services team to ensure AMANDA is secure in customer environments.
Security is built into the architecture of AMANDA. Testing is factored into each level of design and coding. Multiple tools are used to detect vulnerabilities.
AMANDA complies with the stringent OWASP Security rules. What’s more, the quarterly security training refreshes for development teams ensure that the latest vulnerabilities are factored into the system build. And finally, our customers are encouraged to test and report as well.
All this ensures that the integrated system you buy for Permits, Licenses, Code Enforcement, Compliance, FOIA Management and more, are secured well to bring peace of mind to local government CIOs.