7 Tips For Choosing The Right Tool To Secure Your Application

May 14, 2014 By Sharon Solomon

With more and more leading applications and websites are being hacked, internet users are thinking twice before sharing personal information online. With hacktivism, commercial espionage and criminal hackings on the rise, it has become extremely crucial to safeguard databases and make sure that adequate application-layer security is in place.

Unfortunately, the responsibility for providing this security often falls on the narrow shoulders of the QA teams. Operating under tight deadlines, they already have their hands full and eventually fail to address the glaring security issues.

Not all companies have the resources needed to enjoy the services of staff trained to tackle vulnerabilities. Even hiring skilled security professionals is not always “pocket-friendly”. But there is good news. Healthy coding practices and smart vulnerability tool selection can help boost your product’s “immunity” and minimize the need for post-production maintenance.

The demand for secure software is rising due to the needs of customers dealing with sensitive information and the creation of new security standards in the IT industry. Benchmarks such as the aforementioned OWASP Top-10 and PCI have already made their mark. The booming cloud technology also requires good protection.

The following steps should be taken to reach the relevant security targets:

  • Defining security as a necessity.
    This simple and straightforward realization must precede the implementation stage.
  • Providing adequate security training.
    QA teams today rarely have formal security training or know-how. Security-related tutorials, seminars and webinars usually help in getting the process started.
  • Planning and implementing a security policy.
    Properly defining the testing procedure and implementing the security tools are the only ways to develop safe products. This procedure should include: Checking the automated scanning results, making sure that no new problems or issues have surfaced, looking out for false-positives and also documenting the issues.

Best solutions for security issues.

Application and information security today can be divided into three main categories.

  1. Code Reviewing  Hiring of external companies to manually test the coding standards.
  2. Automatic Penetration Test Simulating attacks to test application vulnerability.
  3. Static Code Analysis – The scanning of source or binary code to find pre-release loopholes.
Static Code AnalysisDynamic Testing ToolsPen Testing
PreparationNot NeededPreparation NeededNot Needed
Coverage LimitationsOnly specific run-time trajectories are availableNot all vulnerabilities can be scanned forVery limited coverage
Scanning LimitationsNegligibleLimitations existImpossible to get 100% coverage
False PositivesVery fewAlmost non-existentAlmost non-existent
Vulnerability LocationThe tool points exactly at the problematic points in the codeComplicated; The tester needs to have security know-howComplicated; The tester needs to have security know-how
Life Cycle IntegrationFull integrationOnly post-productionOnly post-production
Ability To Test Dedicated ProcessesPreparation neededPreparation neededFully possible
AvailabilityImmediateImmediate after making the required preparationsRequires coordination with external personnel
CostVery cost-friendlyDepends on productNot cost-friendly

Secure Software Development Life Cycle (sSDLC).

Secure development life-cycles are a must for ensuring that software is released with a minimum amount of loopholes. The most comprehensive and effective way is to adopt a three-point strategy during the development process:

  • Planning stage – Investment in security should start from the beginning. Programmers are advised to consult with security experts and implement their advice to avoid problems in latter stages of the development.
  • Development stage – Implementing automatic testing solutions in this stage of production is a good idea. This helps in pointing at security issues early in the process and also guides testers who are not “security-savvy”.
  • Pre-release stage – Companies with the appropriate finances and resources can make sure their product is safe by hiring the services of Pen Testers. The application immunity is then tested by conducting real-time attacks.

7 tips for picking the right security tool for your product.

  1. Ease of implementation – Security tools that come with a long list of system requirements and require complicated installation steps are simply not recommended.
  2. Results – Make sure that your developers can understand the scan results and locate the vulnerabilities easily.
  3. Compatibility –Make sure the security tool is compatible with the framework and databases you are working with.
  4. Development environment – You should also verify that your tool can work with your code management tool (TFS, SVN). Development environment (Eclipse, Visual Studio) compatibility should also be examined.
  5. Working with Water Fall and Agile – Developers should take note of the tool’s false-positive performance, as in the Water Fall there is no extra time to waste on false-positives. If working in the Agile environment, it’s important that the security solution blends in well.
  6. Make the most of of your budget – Combining SAST/DAST security tools with Pen Testing is the best way to go. But when running on a tight budget, Source Code Analysis (SCA) is highly recommended.
  7. Support – Make sure the company supplying you the security tool has a good support team in place with good technical documentation and online information.

The bottom line.

Checkmarx recommends automating the testing process and integrating the security solution into the various development stages. The tool should be picked based on your specific needs. Pen Testing is a great complimentary tool for simulating attacks and testing the immunity of your finished product, but cannot be relied upon as the only solution.

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.