Beginners Guide to
Application Security

Beginners Guide to
Application Security

The Secure SDLC

The Secure SDLC

More and more organizations are ditching the traditional sequential processes (i.e – Waterfall) for iterative development methodologies. This commonly involves Agile and DevOps methods, which are based on continuous delivery of software based on customer feedback. But traditional AppSec solutions are not ideal for these setups due to their inherited deficiencies. This is where Static Code Analysis (SCA) enters the picture.

 

The modern Software Development Life Cycle (SDLC) typically involves 6 stages:

SDLC

  • Analysis – Establishing a high-level gameplan for the development process.
  • Design – Preparing the software design as per the requirements.
  • Coding – This is where the magic happensand developers write the code.
  • Testing – Introduction of various QA procedures and security testing.
  • Deployment – At this stage, the application is released and used by the customer.
  • Maintenance – Elimination of reported bugs/vulnerabilities with patches/updates.

 
While traditional AppSec solutions (i.e – DAST) enter the picture in the latter stages of the SDLC (Just before deployment or after the full code has been built and compiled), Static Code Analysis (SCA) can be integrated into the development process for early vulnerable remediation (During coding). Furthermore, leading SCA solutions have the option of providing in-depth analysis on the scan results. These results can also be exported for off-line discussions and planning, something that helps in creating a secure SDLC (sSDLC).

 

Leading SCA solutions are easy to integrate into the development environment as they are compatible with a wide range of frameworks and can scan multiple coding languages.

 

Continue to Chapter Six: Appsec Standards & Benchmarks : OWASP TOP 10

The following two tabs change content below.

Dina Shkolnik

Latest posts by Dina Shkolnik (see all)

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.