Security verification and validation

This section covers the essential processes of security review, verification, and validation done by Milestone’s development teams during all phases of our product development.

These processes are crucial to:

  • Detect manually identifiable vulnerabilities in critical components:

  • Understand application resilience from a black-box perspective: 

Selective manual security testing

Milestone’s approach to security testing includes selective manual testing, complemented by a combination of static and dynamic tools. This combination guides and focuses our review to specific areas of the application, approaching them as an attacker would. While we also use automated tools, which are effective in uncovering various vulnerabilities, the automatic tools can never replace the expertise of a trained human reviewer.

Prioritizing high-risk modules

Recognizing that vulnerabilities in security-critical parts of our XProtect software products can have a substantial impact for our customers, integrators and partners, our development teams prioritize the security review of high-risk modules. These modules often include critical functionality such as authentication mechanisms, access control enforcement points, session management schemes, external interfaces and APIs, and input validator/data parsers.

Strategic combination of metrics and automated scans

To determine the best areas for scrutiny, our development teams uses a blend of code-level metrics and focused automated scans. This approach enables our developers to channel their efforts effectively. The security review process may take on various forms, including pair programming, peer review, time-boxed security focus phases involving the entire development team.

Threat mitigation testing

Milestone performs threat mitigation testing to verify how effective the implemented mitigations address the identified threats. The threat mitigation testing aims to:

  • Validate that the implemented threat mitigation solution is effective and provides the expected level of protection.

  • Attempt to bypass or defeat the implemented threat mitigation solution to evaluate its resilience against further modified attacks.

  • Assess the overall security robustness against potential attacks in the product area of the implemented threat mitigation.

Milestone will also maintain a detailed record of the threat mitigation testing performed. The record documents who performed the test, when it was done, which fixed vulnerability was tested, the result of the test, as well as any new vulnerabilities, weaknesses, or deviations from expected results that are found.

Security testing

The primary objective of security testing is to assess the effectiveness of the implemented security controls and identify any potential vulnerabilities that malicious actors could exploit. Security testing also helps ensuring that the components, features, or changes comply with the required security controls and practices.

Each development team in Milestone has the ownership of a set of components and/or supplementing services and tools. Following best practices, each development team performs security tests for the components, services, and tools they are responsible for developing and maintaining. In addition to the testing done by the development teams, the security and compliance team also runs time-boxed internal pen-testing to supplement the security testing before each release.

Security testing is an ongoing process, and the scope evolve as the system changes or new threats emerge. For this reason, each development team are held responsible for maintaining a proactive and adaptive approach to security throughout the development lifecycle of the components they are responsible for.

Security testing performed by Milestone’s development teams covers the following areas and techniques:

  • Identifying assets

  • Analyzing threat landscape

  • Defining security requirements

  • Prioritize critical functionality

  • Documenting scope

  • Perform periodic reviews

  • Adopt security standards and best practices

  • Automated and manual testing

  • Documenting results

Vulnerability testing

Milestone conducts vulnerability testing for all new features, functions, APIs, and interfaces implemented to identify and characterize potential security vulnerabilities in the product. This includes weaknesses, misconfigurations, and design flaws that attackers could exploit.

Vulnerability testing covers the following areas and techniques:

  • Abuse case and, malformed-input testing

  • Attack surface analysis

  • Known vulnerability scanning

  • Software composition analysis

  • Dynamic runtime resource management testing

Milestone also maintains a detailed record of the vulnerability testing performed. The record documents who performed the test, when it was done, the product/version/feature/interface tested, any identified vulnerabilities, their impact, and any recommended actions. It also documents the testing techniques and tools used, and any specific configuration used during the testing.

Penetration testing

With the purpose of identifying potential vulnerabilities and security weaknesses in our products, and to ensure that our software product meets current security standards and can withstand real-world attacks, Milestone conducts penetration testing for every XProtect VMS product version released.

For all other XProtect software products and Husky products, penetration testing is done on-demand or as per the predefined schedule based on the products criticality and risk level.

Performing regular penetration testing allows Milestone to proactively identify and address potential security vulnerabilities before our software are deployed in customer installations.   

The penetration testing is performed by skilled and certified penetration testers, and aims to:

  • Identify vulnerabilities and security weaknesses in the product

  • Validate the effectiveness of the implemented security controls and defenses

  • Assess the resilience of the product against various attack vectors

  • Provide actionable recommendations to improve the security posture of the product.

In addition, Milestone maintains a detailed record of each penetration testing performed. The record documents who performed the test, when it was done, the product and version tested, the result of the test, as well as the remediation decisions and actions taken including result of retesting remediations.