5 steps for application security

By
With
Comments Off on 5 steps for application security

The software development lifecycle can be a double-edged sword. On one hand, software needs to be developed with usability in mind, and it needs to be produced quickly. On the other hand, it also needs to maintain a solid security base. Having those two sides in equal measure is easier said than done. Darren Meyer, Senior Security Researcher for Veracode, walks us through five steps for secure application development and deployment.

How strong is your app development process?
Secure application development and deployment requires a lot of heavy lifting by several different players throughout the process. Here are five tips to ensure your app security holds up long after deployment.

Test the software early and often throughout the SDLC
“Asking development teams to produce secure software without systematic testing is a bit like asking someone to drive the speed limit without giving them a speedometer,” Meyer said.

The software development lifecycle can be a double-edged sword. On one hand, software needs to be developed with usability in mind, and it needs to be produced quickly. On the other hand, it also needs to maintain a solid security base. Having those two sides in equal measure is easier said than done. Darren Meyer, Senior Security Researcher for Veracode, walks us through five steps for secure application development and deployment.

How strong is your app development process?
Secure application development and deployment requires a lot of heavy lifting by several different players throughout the process. Here are five tips to ensure your app security holds up long after deployment.

Test the software early and often throughout the SDLC
“Asking development teams to produce secure software without systematic testing is a bit like asking someone to drive the speed limit without giving them a speedometer,” Meyer said.

Test the software early and often throughout the SDLC
Everyone from developers, to project managers and security professionals need regular feedback about the security quality of what they’re developing. Without this, there’s no way for them to know how well they are doing, and security issues will tend to hide until late in the project, when it becomes difficult and expensive to repair them.

“The closer we can get to daily security testing, the more likely our developers will find and avoid security weaknesses,” Meyer added.

Educate the entire development team, not just the developers, on security
Everyone involved in the process of producing and developing software, from the managers down to the individual coders, QA, and systems engineers need to have a basic understanding of application security fundamentals.

Educate the entire development team, not just the developers, on security
“This helps avoid common weaknesses and makes it much more likely that the security team will be included in key decisions,” Meyer said.

Set clear, measurable security objectives
It is unfair to ask development teams to produce high-quality products and code without giving them clear criteria against which to measure their own performance; and policy isn’t sufficient.

Set clear, measurable security objectives
“If it can’t be captured as a project requirement, item on an Agile backlog, acceptance criterion, or the like – we should expect it to be largely ignored,” Meyer said.

Review and test third-party components
Development teams almost certainly include third-party components – from application servers, frameworks, to utility libraries – in the products they produce. But security is a “weakest link” issue.

Review and test third-party components
“An insecure component can completely undermine even the most security-conscious development practices. That means we must include software and components from our software supply chain in our security testing and review program,” Meyer explained.

Routinely test in production
Once something has come out of testing and development, it should still be tested in its production environment. Production servers are often different from where the software was initially coded and tested, and new exploits and tactics, as well as new vulnerabilities that didn’t exist during development, could emerge.

Routinely test in production
“…we aren’t done testing just because our software is in production. We have to have a strategy for making sure that our production software is routinely tested with up-to-date tools so we can find weaknesses before our adversaries, and take action to repair them,” Meyer said.

Everyone from developers, to project managers and security professionals need regular feedback about the security quality of what they’re developing. Without this, there’s no way for them to know how well they are doing, and security issues will tend to hide until late in the project, when it becomes difficult and expensive to repair them.

“The closer we can get to daily security testing, the more likely our developers will find and avoid security weaknesses,” Meyer added.

Educate the entire development team, not just the developers, on security
Everyone involved in the process of producing and developing software, from the managers down to the individual coders, QA, and systems engineers need to have a basic understanding of application security fundamentals.

Educate the entire development team, not just the developers, on security
“This helps avoid common weaknesses and makes it much more likely that the security team will be included in key decisions,” Meyer said.

Set clear, measurable security objectives
It is unfair to ask development teams to produce high-quality products and code without giving them clear criteria against which to measure their own performance; and policy isn’t sufficient.

Set clear, measurable security objectives
“If it can’t be captured as a project requirement, item on an Agile backlog, acceptance criterion, or the like – we should expect it to be largely ignored,” Meyer said.

Review and test third-party components
Development teams almost certainly include third-party components – from application servers, frameworks, to utility libraries – in the products they produce. But security is a “weakest link” issue.

Review and test third-party components
“An insecure component can completely undermine even the most security-conscious development practices. That means we must include software and components from our software supply chain in our security testing and review program,” Meyer explained.

Routinely test in production
Once something has come out of testing and development, it should still be tested in its production environment. Production servers are often different from where the software was initially coded and tested, and new exploits and tactics, as well as new vulnerabilities that didn’t exist during development, could emerge.

Routinely test in production
“…we aren’t done testing just because our software is in production. We have to have a strategy for making sure that our production software is routinely tested with up-to-date tools so we can find weaknesses before our adversaries, and take action to repair them,” Meyer said.


MCTS Training, MCITP Trainnig

Best comptia Security+ Training, Comptia Security+ Certification at Certkingdom.com