Assessment Methodology
Most relevant for 🔥 Advisors and 🔍 Technical Evaluators
Our Methodology
Holistic assessments are increasingly important in today’s complex and interconnected business environments, where understanding the full picture is crucial for sustainable success. The components that make up a holistic assessment should reflect the landscape of the sector (nutrition, child protection, WASH, health, environmental, etc.). The goal with our work was to create a framework which was easy to replicate and scale up, while defining some practical and actionable technical pieces that will help an organization to perform this analysis in a systematic way. It is our belief that since technology is rapidly changing, it is important to perform assessments regularly.
The technical quality assessment was designed to provide a comprehensive review of any solution through the following components.
.png)
Components of a Holistic Assessment
This process is iterative and follows a set of tasks and engagements that include the vendor to foster transparency and accuracy of produced and shared findings. Many of these stages can happen in parallel.
1. Initial Assessment of Solution, Assets, and Documentation
Meet with and interview the product team, receive a typical walkthrough demonstration of the system, gather all available documentation, reports, source code, tools, and complete an overall review of the “fitness” of the solution and readiness for proceeding through the rest of the process.
2. Source Code Security Audit
Uncover flaws in the application (bugs, security weaknesses, extensibility, maintainability…), and evaluate the readiness of the source code for being enhanced by a third party.
3. Application Architecture Audit
Review the structure of the application, on how the different components, database, APIs, and third-party libraries interact within the code under the lens of maintainability, performance at scale, re-usability, flexibility, cyber security, and data privacy.
4. Penetration Testing and Vulnerability Scan
Evaluate the holistic approach in terms of cyber security, through active and passive security scanning of vulnerabilities, manual penetration testing, security policies analysis,analysis of history of public vulnerabilities, analysis of security guidelines/documentation (including resilience and recovery recommendations), and more.
5. DevSecOps Analysis
Best practices in software development operations from operations management and system administration perspectives, providing guidance for maintaining a solution in production that is stable, updated, and secure.
Assessment Timeline
Below is a potential step-by-step timeline that incorporates the components from above, with an estimate of days to complete, along with guidance about following up with the vendor/partner/solutions team.
Step 1: Request Access to Source Code, Design Documents (10 days)
- Begin our deep dive into publicly available documentation and resources (website, githubs, case studies, install guides, etc)
Step 2: Initial Assessment Results (5 days)
- A narrative report on background information and history, which includes a Threat & Risk Assessment portion.
- Share, Report & Communicate any issues to vendor
Step 3: Source Code Security Audit** (15 days)**
- Share, Report & Communicate any issues to vendor
Step 4: Application Architecture Audit (10 days)
- Share, Report & Communicate any issues to vendor
Step 5: Penetration Testing Audit (10 days)
- Share, Report & Communicate any issues to vendor
- Schedule a call to discuss severe issues if necessary
Step 6: DevSecOps Analysis (15 days)
- Share, Report & Communicate any issues to vendor
Step 7: Report of Findings and Recommendations (10 days)
- Share, Report & Communicate any issues to vendor
Step 8: Review Vendor Updates
- 8 weeks after sharing of initial report the Assessment team will review any fixed issues and remaining timeline of the vendor, and share a follow-on report of statuses and final assessment.