Need for doing a legal audit to detect all 3rd party instances

A lot of people do not even know about this concept ? What is a Legal Audit (or a similar name that may be followed by different software organizations). However, most project / program managers would know about using components from many different sources. And you would also have heard about patent disputes, where companies challenge each other about the software that they have written, and whether one of them was entitled to damages from the other for using a certain code over which the other claimed ownership (actually a patent is about the principle or concept or a specific feature, but you get the general idea).
How does this fit into the idea of something called a Legal Audit ? Patience.
Let me take a real life principle. In our team during the course of a product development cycle, the team is informed at the beginning of the cycle that they will not use any component from outside without speaking to their manager. However, during the middle of the cycle, I was speaking to the team about this (as a repeat) and later one of the team members approached me. It turned out that he was looking for an efficient XML parser and searched for an external component that would help him in this; he found something on the internet, downloaded and used it. Seems fine, after all, a lot of people might do this.
The problem was, we are living in a world where we need to respect the rights and copyrights of others, if we want others to respect our software. Our software has a global market of $40 million, and nobody would welcome a case against us for unlawful usage of an external component. It could be that we were fine with using this component, but nobody had done that kind of check. We looked at the component, and found that it had a license that was never going to be allowed for usage. The license wanted $1 for every customer usage of the software where this component was going to be installed, and if you think that we were ready to pay out tens of thousands of dollars for using such a component, I have nothing to say.
The Legal Audit is a way to do a scan of the software code to ensure that all the external components that are being used in the software are known, and the licenses are all approved towards this end. For product development where the product has been going through multiple versions, a lot of the components would have been in regular use over the years, and these can be quickly discounted. Most organizations would have a way to do this process in a way that minimizes the effort required.
Doing this process is essential, and in most cases, would require consultation with some software engineer or manager as well as with a legal expert (to sign off the final license agreements and to certify that the overall set of licenses used in the software are fine from the perspective of the organization).
And the Legal Audit can only be complete when the writing of new software is complete, since only then can it be sure that there is no further new code going to be written.

What is meant by penetration testing?

The term “penetration testing” is not so rare and perhaps many of us familiar with this type of testing. In this piece of writing we have discussed the penetration testing in more detail. 

About Penetration Testing

- Penetration testing is another testing methodology adopted for testing the security of a computer network or system against the malicious attacks. 

- Penetration testing evaluates the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from outside as well as inside attackers.

- The outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have than access but only to a certain level. 

- The whole process of the penetration is based on an active analysis.

- This active analysis assesses all the potential vulnerabilities of the computer network or system that are merely a result of its poor security level as well as configuration level.

- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses. 

- This active analysis is carried out from the view point of a malicious attacker and is all about the active exploitation of the recognized vulnerabilities. 

Steps in Penetration Testing

- First step in the penetration testing is always the identification of the vulnerabilities. 

- The identified issues and vulnerabilities are then brought to the notice of the whole development team.

- A number of penetration tests are then carried out on that particular system along with the coupling of the information with the active assessment of the risks associated with the computer system or network. 

- A whole lot of effective procedures are designed to reduce the affect of these vulnerabilities. 

Advantages of Penetration Testing

There are several other reasons why the penetration testing holds good:

1. It is effective for the determination of the feasibility of the similar vectors of attack.
2. Helps in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.
3. Proves quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.
4. Assists in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.
5. Successfully tests the effectiveness of the network defenders in detecting and responding to the attacks.
6. Provides the evidences in support of the investments that need to be made in the security field of the computer system or network.

Penetration testing has been recognized as an important component of the security audits. The penetration testing can be carried either way round i.e., either through the black box testing route or through the white box testing route. 

The path to be taken is decided by the amount of knowledge that the tester has about the system or network under testing. If the tester has got a brief knowledge then the black box testing route is followed else the white box testing techniques are preferred. 

Another thing to be determined before starting the testing is the location of the system that has to be tested and also its extent. 

Penetration testing if carried through white box testing

For following the white box approach to penetration testing, the testers needs:

- to have the full knowledge of the system infrastructure,

- to have the full knowledge of the source code, 

- to have the full knowledge of the IP address and

- to have the full knowledge of the network diagrams etc. 

In some cases the grey box approach to penetration testing can also be followed based on how much information is available. Black box approach is useful for simulating an outsider attack whereas the white box approach can simulate and insider attack.  

What is meant by peer review in software testing?

In the process of software development at every stage the software system or application under development has to be reviewed be it before its completion or after its completion. Many techniques have been designed to carry out an effective review of the software systems or applications.

What is Peer Review in Software Testing?

- Peer review is one such technique employed in software testing.

- Peer review is a type of software review technique which involves the examination of the software product or code or documentation by its author or developer as well as by his/ her colleagues for the evaluation of the quality of the product and its technical content.

- The number of peers for carrying out a peer review may vary from one to any number the author wishes.

- The process of peer review is aimed at providing an engineering practice which is well disciplined for the detection as well as the correction of the bugs and errors in the software product.

- It is also aimed at the prevention of the defects from leaking in to the operational field.

- These aims of the peer review have been defined on the basis of the CMM or capability maturity model.

- Peer reviews form an essential part of the software development cycle and proves to be very helpful in the detection of the bugs in the early stages of the software development.

- A requirements problem as identified by the peer review during the requirements testing is a lot easier and cheaper to rectify than what it would have been in the development stages of the software testing and architecture.

Now the question comes “how the peer review is different from the other kinds of reviews?”

- Peer reviews are somewhat different from their counterpart of management reviews.

- The management reviews are performed by the management representatives rather than by colleagues as in peer review.

- The management reviews are focussed up on the control and management purposes and not on the technical evaluation like the peer review.

- Peer reviews are also a way apart from the software audit reviews in the way that the software audit reviews are carried out by the personnel external for the evaluation of the level of compliance with the standards, specifications and agreements etc.

- Several formal and informal approaches have been designed for carrying out the peer reviews.

- Buddy checking is one informal approach.

- Some formal approaches are:

1. Technical peer reviews
2. Walk throughs and
3. Software inspections.

- The roles, processes and structures for the above mentioned formal processes are governed by the IEEE standards.

- Management representatives are chosen to carry out a peer review only very rarely when specific technical expertise is required or when the documentation to be reviewed is of management level.

- The third formal approach i.e., software inspection involves the assignment of specific roles to the participants, quantification of the stages by defining the entry and exit criteria, and capturing of the software metrics.

- The peer review carried out for the open sources is commonly known as open source review.

Advantages of Peer Reviews

- Peer reviews have always been observed as a powerful methodology for a great improvement in the software quality.

- A peer review can be performed in many forms like an inspection, team review, pair programming, peer desk check or pass around etc.

Which approach is to be followed is decided on the basis of the rigor, cost, spectrum of formality and of course effectiveness!

The cheapest review method should be selected that is more effective in reducing the project associated risks. But, the inspections are always the best approach and are fit for both high level and low level risk projects.

Software Quality Assurance - SQA

Software Quality Assurance (SQA) is defined as a planned and systematic approach to the evaluation of the quality of and adherence to software product standards, processes, and procedures. SQA includes the process of assuring that standards and procedures are established and are followed throughout the software acquisition life cycle. Compliance with agreed-upon standards and procedures is evaluated through process monitoring, product evaluation, and audits. Software development and control processes should include quality assurance approval points, where an SQA evaluation
of the product may be done in relation to the applicable standards.

STANDARDS AND PROCEDURES :
Establishing standards and procedures for software development is critical, since these provide the framework from which the software evolves. Standards are the established criteria to which the software products are compared. Procedures are the established criteria to which the development and control processes are compared.
Standards and procedures establish the prescribed methods for developing software; the SQA role is to ensure their existence and adequacy. Proper documentation of standards and procedures is necessary since the SQA activities of process monitoring, product evaluation, and auditing rely upon unequivocal definitions to measure project compliance.

SQA ACTIVITIES :
Software quality assurance is composed of a variety of tasks associated with two different constituencies - the software engineers who do technical work and an SQA group that has responsibility for quality assurance planning, oversight, record keeping, analysis, and reporting. Product evaluation and process monitoring are the SQA activities that assure the software development and control processes.
Product evaluation is an SQA activity that assures standards are being followed. Product evaluation assures that the software product reflects the requirements of the applicable standard(s) as identified in the Management Plan.
Process monitoring is an SQA activity that ensures that appropriate steps to carry out the process are being followed.
A fundamental SQA technique is the audit, which looks at a process and/or a product in depth, comparing them to established procedures and standards. Audits are used to review management, technical, and assurance processes to provide an indication of the quality and status of the software product.

ROLE OF AN SQA GROUP :
- Prepares an SQA plan for a project.
- Participates in the development of the project's software process description.
- Reviews software engineering activities to verify compliance with defined software process.
- Audits designated software work products to verify compliance with those defined as part of software process.
- Ensures that deviations in software work and work products are documented and handled according to a document procedure.
- Records any noncompliance and reports to senior management.