Tag Archives: Desktop

Our company develops Windows desktop applications. We offer off the shelf solutions – not custom development. A potential new customer wants to add a section to our standard contract that requires us to use an “Application Scanning” Tool. They specifically mention IBM’s AppScan. However that tool seems to be for web applications, not desktop applications.

Our applications are developed using Delphi (from Embarcadero formerly Borland a long time ago). We are a small two developer shop. While I can understand the why a customer would want something like this in a contract, I’m not sure how I can really accomplish this.

Are there other “industry standard tools” as their contract language seems to indicate?

Is this becoming common practice among ISVs?

Are there any guidelines for ISVs for complying with these type of security review requirements? I know there are a number of sites for safe coding practices (verify user input, buffer overflows, SQL injection, etc.) but I have never seen anything that discusses putting together a security review that would convince a end user that the programmer did their job correctly.

Here is what they want added to the contract:

x.x Software Security Review And Testing. A security scanning process
will be performed on the application components for each production
release of the Software licensed by Licensee pursuant to this
Agreement prior to making available a major release of such
components. Such security scanning will be performed by Licensor
using IBM’s AppScan application scanning tool or an alternative,
industry standard tool (“Application Scanning”). Vendor will also
perform manual penetration testing (“Penetration Testing”) for each
major release of the core product(s). Vendor will conduct Application
Scanning on each application component as set forth in the applicable
Schedule under the Agreement a minimum of one (1) time per year.
Vendor will provide to and review with Licensee a report of the
results of Vendor’s most recent Application Scanning and Penetration
Testing for the AgWare Software.

The application itself is a standard windows application. It can connect to either an Access Database or a SQL Server database for it’s data storage. Users worried about security will obviously be using SQL Server. There is no middle tier – I connect directly from the application to the SQL Server. The connection is made using a trusted connection and all data access is via stored procedures.

I can understand running some type of security scanner on the SQL Database. i.e. something that would verify a table was not left with wide open access. It is interesting that the database was not addressed in the contract.

I can probably press the issue and say that AppScan cannot be run on desktop applications and get them to remove the section from the contract. Seeing it though made me wonder if any desktop application developers are running any type of scanner on their software.

Continue reading Security Scanning for Desktop Applications→