The bugScout platform, developed by Nalbatech, has been a partner of the information security team of the basic sanitation company Sabesp, which serves more than 300 municipalities in the State of São Paulo. The tool detects vulnerabilities and security flaws in software applications during its own development or that of third-party applications, to ensure the adequacy of the systems to the company’s policies.
Since 2014, when the project was started, any new system that enters the company’s data center has been subjected to a rigorous analysis of source code to detect vulnerabilities. More than 1,000 applications have already been analyzed and the flaws most found in third-party applications are related to the exposure of sensitive information, weak encryption, breach of trust limits and basic errors in the source code.Daniel Bocalão, Manager of the Connectivity and Information Security Department – (CIC) at Sabesp, explains that the project started four years ago with a first version that evaluated only security requirements. At the end of last year, with an update, the tool also started to analyze the quality and performance of each new application.
“Any request for improvement of the system module that arises because of a regulation or law, for example, goes through the solution”, comments the executive, in an interview with Computerworld Brasil.
Sabesp’s IT infrastructure is composed of a considerable variety of systems to serve various internal and external processes. In field operations, Internet of Things (IoT) devices collect in real time the data on water and sewage services delivered to the population, which involves the identification of consumption, changes or deviations in the consumption pattern, leakage potential, among numerous other variants, producing a large amount of data that needs to be protected. In addition, the company has administrative management systems, such as billing, CRM, asset control, supplies and HR – all pass the vulnerability tests required by the company.
Bocalão comments that the main advantage is knowing the risks before production. “We were able to anticipate vulnerabilities and fix them at the time of development. The results are intangible, as we are able to show the supplier that he is vulnerable and avoid problems in the future. The feeling is that we are safer ”, he adds.