Tuesday, May 22, 2012

AppSec Shouldn't Be Something Special You Do

To really improve the security posture of applications, development shops must get to a place where security is simply part of their normal development process.  In other words, designing secure software and writing hack-proof code shouldn't be a special side project or considered for the first time during the testing phase.

 
Making application security an inherent part of your SDLC can be done on a gradual basis.  You could start with instructor-led training of developers to teach them appsec concepts.  I did this type of training for several years.  A more scalable way to teach developers is computer based training (CBT), also known as eLearning.  This may be your only option with hundreds or thousands of developers on staff and limited budget.

Another key piece to building security into your SDLC is regular static and dynamic testing of applications. The goal is to find vulnerabilities and fix them before going live.  Static analysis looks at an application from the inside out.  You may also hear this referred to as white-box testing or static application security testing (SAST).  Static analysis can be done for any type of application (web, thick client, mobile, glue code, etc).  Dynamic testing involves looking at a web application from the outside in and is also known as black-box testing or dynamic application security testing (DAST).  Both static and dynamic testing should be done to have the best chance at finding all the vulnerabilities.  They are complementary approaches, although there is some overlap in the issues they can find.