Tyler’s Application Security Program

Tyler has a full-time application security team dedicated to continuously reviewing and enhancing the security posture of its products. Tyler uses enterprise-level dynamic and static security scanning tools as part of our software development lifecycle. In addition to scanning tools, Tyler’s application security team executes manual assessments on Tyler products using a testing methodology based upon the OWASP Testing Framework.

spacer module is 25px

Software Development Phases

Design Phase

The security team provides feedback and recommendations on proposed architecture and platform technology, including feedback on potential threats and risk factors.

Build Phase

The security team manages and supports an enterprise level static code scanning toolset for each development team to use. The toolset scans each line of source code for vulnerabilities based on the OWASP Top Ten. The scanning tool sends an alert if vulnerable open-source libraries are used within the source code.

The output from the static code scanning tool is reviewed by development teams, and we take a risk-based approach to remediation.

Test Phase

In contrast with the build phase that uses a static code scanning toolset, during the test phase the security team manages and supports an enterprise level dynamic toolset for each development team to use. This tool scans web-based applications in their deployed state, authenticates to the web-based application, and crawls all pages, links, and components. It takes an inventory of these items, and then launches attack payloads against them. The attack payloads are based on OWASP Top Ten vulnerabilities and security misconfigurations. The dynamic scanning tool has a decision and verification engine that validates if a vulnerability exists based on payload sent and response it receives.

The output from the static code scanning tool is reviewed by development teams, and we take a risk-based approach to remediation.

Production Phase

Tyler’s application security team executes manual application security assessments and penetration tests in pre-production and production phases of the software development life-cycle.

Manual assessments occur over multiple weeks to evaluate exposure to known application security vulnerabilities and to determine the extent to which the targeted applications/systems are vulnerable to attack and penetration. A combination of black-box and white-box techniques are used in our manual assessments. Tyler’s application security team utilizes interruption proxies, well-known open-source, and custom-built tools in the testing process.

Testing is conducted in alignment with current industry best practices covered by the following standards:

At the end of an assessment, a final report is delivered. Development and operation teams work on a remediation plan, which is reviewed and approved by Tyler’s application security team before it’s executed.

spacer module is 75px

Painting the vision of fully connected communities.

At Tyler, we imagine a world where all city, county, and regional government services are connected within a healthy digital infrastructure. Connecting data, processes, and people makes communities safer, smarter, and more responsive to the needs of residents.

More About Connected Communities