In response to the security breaches identified during recent penetration testing by Nofsinger Consulting Services (NCS), Sifers-Graysonâ€™s COO issued a directive that in short demanded a solution be implemented to plug leaks or potential leaks in Sifers-Grayson software. Consider for a moment a bank vault and its similarities to Sifers-Grayson developed applications, both of these have a design, development, and operation phases where vulnerabilities and code can be used to break the vault or the application. (Owen, n.d.) The key to maintaining positive control of each of these phases is management and specifically in the case of applications is an Application Lifecycle Management (ALM) tool.
In all phases of an applicationâ€™s lifecycle, configuration management (CM) applied through an ALM is key to maintaining transparency as an application is designed, built, used and ultimately retired. (Keus & Gast, 1996) This transparency is also a critical component of security. As an application is designed and changed over its lifecycle, unauthorized changes have the potential to create vulnerabilities either by design or accident. With the ALM tool in place these vulnerabilities could be headed off at the pass ensuring that at least on the software design change level the application is rendered secure.
Later in the operation phase of an applicationâ€™s lifecycle, security will be greatly enhanced by the increased levels of visibility an ALM tool will provide into the application. Security checks can simply not be manually completed often or quickly enough to adequately provide the assurances Sifers-Grayson requires that applications are secure. Using the ALM IT professionals can deploy security checks that will automatically track known software vulnerabilities and provide real-time feedback as to the status of these checks. (Faciana & Wirvin, 2017) This will allow rapid response to any threats and as a result render Sifers-Grayson software more secure.
While the penetration testing completed by NCS certainly revealed a weakness in Sifers-Grayson security, it should not be viewed as a failure. Rather, it should be seen as an opportunity to learn from mistakes and improve a broken process. A step toward fixing these security flaws will be to implement an Application Lifecycle Management tool.