7 Development AppSec Tricks to Keep the Hackers Away – Part 1

Wednesday, June 17, 2015

Tripwire Inc

Bd07d58f0d31d48d3764821d109bf165

The mammoth rise in cybercrime has made organizations revise their application security strategy and implement new techniques to safeguard their software. This is largely because traditional security methodologies, such as Manual Testing and Web Application Firewalls (WAF), have been rendered irrelevant due to evolving hacking techniques.

Unlike old times, more and more organizations today are concentrating their efforts towards bolstering the foundation core of their software – the application code. The following 7 development AppSec tips should be adopted by all organizations striving to improve code integrity, and boost the robustness of their web/mobile applications.

1. PLAN AND CREATE A SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC).
The most effective way to ensure secure development is to devise a Software Development Life Cycle (SDLC), which involves the breaking down of the development process into pre-defined stages with security testing built into each and every one of them. This automation of the testing process eventually leads to the early detection of vulnerabilities.

The modern SDLC typically consists of six stages:

Analysis – This stage involves the establishment of a high-level game plan for the development process, inclduing system analysis, adding of new features and also the tweaking of the development protocol. The data received from the security solution is also taken into consideration and benchmarks are revised accordingly.
Design – Just as the name suggests, this is where the software design is prepared from the requirement specifications decided upon in the first stage of the process.
Coding – Here, the developers step in and start writing the application code. The coding stage is typically the longest and most complicated part of the SDLC.
Testing – The post-build stage is where most QA procedures are executed, along with security testing. However, it’s highly recommended to not postpone security implementation and integrate the solution into all stages of the SDLC. This enables the creation of a secure SDLC, arguably the safest development method today.
Deployment – At the end of the process, the application is basically ready for release. The customers start using the software and implement it in their systems.
Maintenance – No application is perfect and flawless. Customers report their bug findings and performance issues after using the software. Developers then work on eliminating the problems and fine-tuning the different features of the application, ideally in thoroughly planned sprints (Agile/DevOps).
sdlc

2. AUTOMATE THE SECURITY PROCESS WITHIN THE SECURE SDLC.
The most effective way of creating a secure SDLC is to automate the entire security process. When security is built into all six stages above, vulnerabilities are located early. The early detection of loopholes in the application code significantly shortens the remediation process while also saving the organization a significant amount of money and resources.

Static Application Security Testing (SAST), most commonly Static Code Analysis (SCA), is usually implemented to achieve these goals. These code scanners can be integrated into all SDLC stages and also have light-weight plugins that seamlessly blend into the developer’s IDEs.

Other benefits of implementing automated application security testing include:

Best-fix location functionality, where the most vulnerable junctions are pin-pointed.
No need for scanning unchanged code, which is ideal for CICD, Agile and DevOps.
Wide programming language coverage and multiple framework compatibility.
Detection of coding errors (i.e – buffer overflow), dead code and other flaws.
Automatic generation of security reports in PDF/XML format for offline scrutiny.

3. HALT THE BUILD WHEN MEDIUM- OR HIGH-LEVEL THREATS ARE DETECTED.
Regardless of what development environment you are in, you must make sure that you have security thresholds in place. For example, it should be made sure that medium- or high-severity vulnerability detection stops the build instantly until the issue is mitigated. This can be easily implemented by using the aforementioned automated security application testing.

Please stay tuned for Part 2 of this two-part series.

About the Author: Sharon Solomon (@checkmarx) is a Content Manager at Checkmarx

This was cross-posted from Tripwire's The State of Security blog.

7493
Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.