GrapeCity produces component software used by thousands of developers worldwide, and we take code security seriously. For this blog, we will use GrapeCity Documents for Excel (GcExcel) as the example product. Still, the general policies and development protocols are relevant to all GrapeCity component software product teams. GcExcel helps to ensure your application’s code security in the following 5 ways:
Standards-Based Approach
Security Assurance System
Security Testing
Safety Training
Security Consultation
GcExcel security policies use the OWASP Top 10 project, which has become the Web application security standard for providing methods to prevent high-risk problems from occurring.
These can include injection of code in untrusted data sent to a command or query, XML external entities used to steal internal data or listen to internal scan ports, and insecure deserialization that could lead to remote code execution or other serious attacks such as replay and privilege escalation.
We recommend that all customers developing web applications also use these policies to ensure their application security, as most of the high-risk areas of concern are related to application and security configuration, cross-site scripting, sensitive data exposure of personally identifiable information, and other factors that are outside the scope of GcExcel.
The GcExcel Security Assurance System uses an agile development model and continuous integration, including regular virus scans, static code analysis, and automated test scripts. All development is overseen by a team of managers who create the new product requirements and plan the product milestones and release schedule.
Developers regularly review all code in daily review meetings and by senior architects in periodic architectural reviews. Biweekly product updates are posted to address reported issues.
In addition to regular automated unit testing, GcExcel has special automated security tests designed to cover vulnerable code for serialization, deserialization, and file operations. These tests ensure that GcExcel does not expose applications to any security issues related to parsing XLSX content from untrusted sources.
We are also concerned about XXE external entities, JSON type deserialization, HTML and CSV injection, and untrusted macro content inside XLSM files. GcExcel is designed to avoid these potential vulnerabilities and never executes any macro content loaded from XLSM files.
GrapeCity provides training and guidance to the teams responsible for creating the components to ensure that all team members, including developers, quality assurance engineers, and managers, follow the GrapeCity Security Assurance System.
Developers who work in sensitive code areas take extra care to review that code and ensure that unit tests cover the security-related aspects of the APIs (for example, arguments that are likely to contain untrusted data).
GrapeCity takes your code security requirements seriously, and our in-house professional security specialists will respond to any concerns you might raise related to GrapeCity software components security.
We take these issues very seriously and will provide a reply immediately to confirm receipt of the issue and provide a timeline for the investigation and another reply after the investigation is complete with the full investigation results.
Our processes prioritize and escalate 3rd party security reports involving our code, and our teams can work with them to quickly investigate and resolve any issues.
For more information about GcExcel and the GrapeCity Security Assurance System, check out the full white paper, which describes these policies and the standards in detail:
GrapeCity Documents for Excel Security White Paper
Also published here.