COI Report – Part VII
Page
284 of
425 39.2.1 Code reviews and safety reviews 824. As part of CSA’s
technical recommendations, CSA also recommended that organisations should conduct code review of applications that are installed on critical systems and ensure that such reviews have been performed to their satisfaction. This is to verify that there are no instances of insecure programming or security flaws that may present vulnerabilities or backdoors that could be exploited by cyber attackers. As to how an organisation could go about procuring the conduct of such code reviews, Dan Yock Hau (“
Dan”) elaborated in oral testimony on a few options a) As a customer purchasing critical software, the organisation could try to exercise its customer’s rights to see what access it could get to the source code to conduct its own review. b) The organisation could also consider leveraging government reviews/certifications. Dan cited the
example of how some companies,
e.g. Microsoft, had setup transparency centres in certain countries and allowed governments to, as the proxy/agent
at the national level, go through the source code, verify the source code and certify it at the national level so that others could use it. c) Alternatively, the organisation/customer could list down the standards and criteria by which it would have
conducted a source code review, and ask the vendor to conduct an internal review based on those criteria and give a declaration that those criteria were met.
825. Dan explained that it was better to verify the application before buying it, and that such verification was an important function to be done during the tender, and before the organisation signed the contract with the vendor rather than to test the application after purchase.
