The security team provides feedback and recommendations on proposed architecture and platform technology, including feedback on potential threats and risk factors.

The security team manages and supports an enterprise level static code scanning toolset for each development team to use. The toolset scans each line of source code for vulnerabilities based on the OWASP Top Ten. The scanning tool sends an alert if vulnerable open-source libraries are used within the source code.

The output from the static code scanning tool is reviewed by development teams, and we take a risk-based approach to remediation.

In contrast with the build phase that uses a static code scanning toolset, during the test phase the security team manages and supports an enterprise level dynamic toolset for each development team to use. This tool scans web-based applications in their deployed state, authenticates to the web-based application, and crawls all pages, links, and components. It takes an inventory of these items, and then launches attack payloads against them. The attack payloads are based on OWASP Top Ten vulnerabilities and security misconfigurations. The dynamic scanning tool has a decision and verification engine that validates if a vulnerability exists based on payload sent and response it receives.

The output from the static code scanning tool is reviewed by development teams, and we take a risk-based approach to remediation.

Tyler’s application security team executes manual application security assessments and penetration tests in pre-production and production phases of the software development life-cycle.

Manual assessments occur over multiple weeks to evaluate exposure to known application security vulnerabilities and to determine the extent to which the targeted applications/systems are vulnerable to attack and penetration. A combination of black-box and white-box techniques are used in our manual assessments. Tyler’s application security team utilizes interruption proxies, well-known open-source, and custom-built tools in the testing process.

Testing is conducted in alignment with current industry best practices covered by the following standards:

• NIST
• The OWASP Testing Guide
• PTES

At the end of an assessment, a final report is delivered. Development and operation teams work on a remediation plan, which is reviewed and approved by Tyler’s application security team before it’s executed.