Jan 20, 2021 2:00:00 AM by John Pocknell
Part 2. With the rise of cybersecurity threats, application security is certainly getting more attention. CIOs, CISOs and other executives, responsible for implementing data protection strategies in their company, need to make sure they are protecting their corporate data, comply with the appropriate data privacy regulations such as GDPR, HIPAA, PCI and others and prevent breaches, fines and reputational damage that could seriously impact their business.
Some industry sectors, such as financial services, are increasingly being mandated to apply security patches to operating systems and desktop software to minimize any vulnerabilities.
In Part 1 of this three-part blog series, I introduced the need for tighter application security and why it’s incumbent on software vendors like Quest® to ensure their applications are as secure as they can be.
In this part, I’ll walk you through some of the other security controls Toad® by Quest has in place to ensure we adhere to current software security standards for continually testing and delivering versions of Toad products that you can safely install and run.
You’ll also see a compelling argument for staying up to date with the frequent releases of Toad products so you can avoid vulnerabilities and security threats in the future.
Update your Toad for free, with a current license
If you want an update/install from Quest for any Quest product, you need three things:
Your login will be tied to your Toad license. If it’s current, it will let you login to ask questions and get downloads. If you’re denied these because of maintenance issues, you’ll be contacted very soon by a Quest rep who can make sure your account information is correct or offer to update your maintenance agreement.
Most IT administrators are occupied with plugging security gaps among different applications installed on different platforms. That’s why Quest believes in making security practical by releasing products that are secure in the first place.
The table below shows the security controls that every release of Toad undergoes.
In this blog, we’re going to look at the next three security controls (outlined in red above) and how Quest Software implements each of these controls for Toad products.
Quest has defined processes around SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) scanning, using external tools.
SAST is a form of white-box testing. A tester using SAST examines the application from the inside, searching its source code for conditions that indicate potential security vulnerabilities. DAST is a form of black-box testing, from the outside as an attacker would see the application. A tester using DAST examines a web application when it is running and tries to hack it as an attacker would.
SAST tools assist in identifying weaknesses found on a list known as the common weakness enumeration (CWE). The tools are limited in their handling of issues of logical flow, authentication and authorization, which are better suited to penetration tests (see below) or manual source code reviews. DAST scanners, interacting with a web application from the outside, rely on HTTP and are technology-independent.
For Toad products, tests are conducted using SAST and DAST tools.
Penetration testing demonstrates real-world impact if a vulnerability or process weakness were to be exploited. It is designed to assess security before a bad actor strikes. A penetration test is not an automated scan of an application or its source code, but a next step after automated vulnerability scanning (see above).
For Toad products, penetration testing is conducted annually. The tests, a combination of manual and automated testing, are designed to uphold software security standards in the following areas of the product:
In most cases a penetration test follows a specific framework depending on the target application or infrastructure, and tactics vary depending on the adversary being mimicked.
When the development team package Toad ready for release, they first scan for malware following a consistent process that includes these security control steps:
In Part 3 of this blog, I’ll talk about some additional security controls that Toad has in place for code signing, software integrity and FIPS compliance.
For more detailed information on how Toad addresses desktop security through SSDLC, read this Technical Brief.
Try Toad for Oracle now
Already in a trial? Talk to sales or buy now online.
Already a loyal fan of Toad for Oracle? Renew now.
Written by John Pocknell
John Pocknell is a senior market strategist at Quest Software and part of the Information Management business unit. Based at the European headquarters in the U.K., John is responsible for synthesising analyst data and customer interviews in order to create and evangelise solutions-based stories and messaging which relate to major IT initiatives for our extensive portfolio of database products, worldwide. He has been with Quest Software since 2000, working in the database design, development and deployment product areas and spent over 10 years as product manager for the Toad product line. John has been successfully evangelising Toad and other database solutions at various conferences and user groups around the world for the last 19 years as well as writing blogs and technical papers both internally and for the media. John has worked in IT for more than 30 years, most of that time in Oracle application design and development. He is a qualified aeronautical engineer with more than 10 years of experience in provisioning IT consultancy services and implementing quality assurance systems to ISO 9001.