Symantec Advanced Authentication Source Code Review Report for 2FA Application.
Article ID: 374517
Updated On:
Products
CA Risk Authentication
CA Strong Authentication
CA Advanced Authentication
CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)
CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)
Issue/Introduction
Symantec Advanced Authentication Source Code Review Report for 2FA Application and Secure Software Development Practices.
Resolution
Security vulnerability management is an ongoing process. The Symantec Advanced Authentication product development operates under internal application security procedures which provide for guidelines and objectives for secure development of CA (A Broadcom Company) products. CA’s secure software development lifecycle (SSDLC) practices are generally described on https://docs.broadcom.com/docs/ca-information-security-practices.
While CA may update such practices from time to time at its sole discretion, and without notice, it will continue to use commercially reasonable efforts to establish and maintain secure software development lifecycle practices consistent with the generally accepted practices within the IT industry.
The development team has been scanning the code using various tools for several years and remediating potentially exploitable vulnerabilities. During this time malicious hackers have identified more advanced ways of exploiting weaknesses in operating environments. Fortunately, the vulnerability scanning tools have improved and continue to do so to keep pace. This has created a somewhat dynamic view of the product state throughout this evolution.
Today CA is using industry leading tools to identify and manage security vulnerabilities. As further vulnerabilities are identified, remediation efforts are prioritized
based on ease of exploitation, potential impact, and effort.
based on ease of exploitation, potential impact, and effort.
The code fixes associated with this effort are generally distributed with regular maintenance without specific advertisement to protect customers running older unpatched releases. In somewhat rare instances, third-parties have identified a high-risk vulnerability which have resulted in published hyper-fixes outside the normal maintenance cycle.
While the development, release and timing of any CA product remains at CA’s sole discretion, CA product development operates under the internal application security procedures, noted above, which provide for guidelines and objectives for secure development of CA products.
Attachments
Feedback
Yes
No
Powered by
