How To: Developing Secure Software
Cybersecurity is a hot topic these days - for a good reason - yet application security is often overlooked and DevOps processes in most companies don't include steps like SAST, DAST and SCA leading to inadvertent creation of critical zero-day vulnerabilities. That is, if there is a DevOps process at all.
Despite the steady daily increase in very real potential and active threats, businesses often rely on limited cybersecurity measures, especially when it comes to building software in non-software centric organizations.
Let me be clear: even with secure firewalls and carefully configured security controls, running applications with security vulnerabilities makes your organization susceptible to a range of attacks and breaches. Often security is neglected and things are missed or shortcuts are taken due to tight deadlines or legacy architecture requirements (sounds familiar?).
These 4 steps will help transform your development process into a viable security approach. I've included some tools I've used in the past as part of the solution, but the list is by no means comprehensive or viable across the board. I also suggest to complement all steps by manual analysis as well, especially in the early stages of the process.
Step 1: Analysis, Assessments and Dev Training
Static Application Security Testing (ReSharper Pro)Dynamic Application Security Testing (NMap, IronWasp)Software Composition Analysis (WhiteSource, Black Duck, Veracode SCA)Database Security Scanning (Comodo HackerProof)Regular security-centric developer training and exercises
Step 2: Ongoing Training, Oversight and DevSecOps Integration
Mobile Application Security Testing (OWASP Zed Attack Proxy, MITMproxy, QARK, iMAS)Interactive Application Security Testing & Hybrid Tools (Synopsys Seeker)Application Security Testing as a Service (outsourcing all of the above to a trusted partner, Fortify on Demand)
Step 3: Automation, Testing and Continuous Delivery Integration
Correlation Tools (Code Dx)Test Coverage Analyzer integration (Karma, Jasmine, SonarCube)
Step 4: Complete Orchestrated Security
Application Security Testing Orchestration
Achieving the above will result in an increased official CVSS score of your company and guarantee secure software provision for clients, partners and vendors with a peace of mind to start with. Seamlessly integrated secure coding frameworks and practices instead of “Security as an Afterthought” will contribute to the efficiency and speed of the development process, reduce the amount of bugs and smoothen sprints significantly (you are using Agile, right?). Finally, a streamlined DevSecOps process will shorten safe deployment cycles and lead to higher quality software and a reduction in the amount of frustrated engineers :)