With more and more leading applications and websites are being hacked, internet users are thinking twice before sharing personal information online. With hacktivism, commercial espionage and criminal hackings on the rise, it has become extremely crucial to safeguard databases and make sure that adequate application-layer security is in place.
Unfortunately, the responsibility for providing this security often falls on the narrow shoulders of the QA teams. Operating under tight deadlines, they already have their hands full and eventually fail to address the glaring security issues.
Not all companies have the resources needed to enjoy the services of staff trained to tackle vulnerabilities. Even hiring skilled security professionals is not always “pocket-friendly”. But there is good news. Healthy coding practices and smart vulnerability tool selection can help boost your product’s “immunity” and minimize the need for post-production maintenance.
The demand for secure software is rising due to the needs of customers dealing with sensitive information and the creation of new security standards in the IT industry. Benchmarks such as the aforementioned OWASP Top-10 and PCI have already made their mark. The booming cloud technology also requires good protection.
The following steps should be taken to reach the relevant security targets:
- Defining security as a necessity.
This simple and straightforward realization must precede the implementation stage.
- Providing adequate security training.
QA teams today rarely have formal security training or know-how. Security-related tutorials, seminars and webinars usually help in getting the process started.
- Planning and implementing a security policy.
Properly defining the testing procedure and implementing the security tools are the only ways to develop safe products. This procedure should include: Checking the automated scanning results, making sure that no new problems or issues have surfaced, looking out for false-positives and also documenting the issues.
Best solutions for security issues.
Application and information security today can be divided into three main categories.
- Code Reviewing – Hiring of external companies to manually test the coding standards.
- Automatic Penetration Test – Simulating attacks to test application vulnerability.
- Static Code Analysis – The scanning of source or binary code to find pre-release loopholes.
|Static Code Analysis||Dynamic Testing Tools||Pen Testing|
|Preparation||Not Needed||Preparation Needed||Not Needed|
|Coverage Limitations||Only specific run-time trajectories are available||Not all vulnerabilities can be scanned for||Very limited coverage|
|Scanning Limitations||Negligible||Limitations exist||Impossible to get 100% coverage|
|False Positives||Very few||Almost non-existent||Almost non-existent|
|Vulnerability Location||The tool points exactly at the problematic points in the code||Complicated; The tester needs to have security know-how||Complicated; The tester needs to have security know-how|
|Life Cycle Integration||Full integration||Only post-production||Only post-production|
|Ability To Test Dedicated Processes||Preparation needed||Preparation needed||Fully possible|
|Availability||Immediate||Immediate after making the required preparations||Requires coordination with external personnel|
|Cost||Very cost-friendly||Depends on product||Not cost-friendly|
Secure Software Development Life Cycle (sSDLC).
Secure development life-cycles are a must for ensuring that software is released with a minimum amount of loopholes. The most comprehensive and effective way is to adopt a three-point strategy during the development process:
- Planning stage – Investment in security should start from the beginning. Programmers are advised to consult with security experts and implement their advice to avoid problems in latter stages of the development.
- Development stage – Implementing automatic testing solutions in this stage of production is a good idea. This helps in pointing at security issues early in the process and also guides testers who are not “security-savvy”.
- Pre-release stage – Companies with the appropriate finances and resources can make sure their product is safe by hiring the services of Pen Testers. The application immunity is then tested by conducting real-time attacks.
7 tips for picking the right security tool for your product.
- Ease of implementation – Security tools that come with a long list of system requirements and require complicated installation steps are simply not recommended.
- Results – Make sure that your developers can understand the scan results and locate the vulnerabilities easily.
- Compatibility –Make sure the security tool is compatible with the framework and databases you are working with.
- Development environment – You should also verify that your tool can work with your code management tool (TFS, SVN). Development environment (Eclipse, Visual Studio) compatibility should also be examined.
- Working with Water Fall and Agile – Developers should take note of the tool’s false-positive performance, as in the Water Fall there is no extra time to waste on false-positives. If working in the Agile environment, it’s important that the security solution blends in well.
- Make the most of of your budget – Combining SAST/DAST security tools with Pen Testing is the best way to go. But when running on a tight budget, Source Code Analysis (SCA) is highly recommended.
- Support – Make sure the company supplying you the security tool has a good support team in place with good technical documentation and online information.
The bottom line.
Checkmarx recommends automating the testing process and integrating the security solution into the various development stages. The tool should be picked based on your specific needs. Pen Testing is a great complimentary tool for simulating attacks and testing the immunity of your finished product, but cannot be relied upon as the only solution.