Application Security: Next-Gen Security Includes Architectural Blueprinting

May 9, 2018 by Srinivas Kedarisetty

Application security, as viewed by standards bodies like Object Management Group (OMG), is an architectural issue.  OMB reports that over 90 percent of software outages are caused by architectural design flaws. Despite the heightened awareness and business priority around breach prevention, we see these problems persist because there remains a lack of visibility into secure software design.

Application security requires a team approach to secure application architecture

For most organizations, software development is a highly decentralized and compartmentalized process. Security teams, QA professionals, Architects and Developers largely operate under different mandates and only occasionally come together to align on output, productivity and security goals. For example, software architects are typically focused on enabling end-user functionality with optimal software design and don’t always consider ways software can be breached.

To reduce these hurdles and help teams secure software development, CAST has released a Security Dashboard that unites these teams around Software Intelligence based on the structural analysis of software, pointing to the most important and critical security flaws in design.

CAST Security Dashboard

The CAST Security Dashboard generates accurate security findings by blueprinting architectural dependencies in software to reduce noise and false positives while helping teams:

  • Design security into applications from the beginning of the SDLC.
  • Secure architectural governance to ensure maximum uptime.
  • Focus effort on contextual and critical security vulnerabilities by eliminating false positives.
  • Benchmark application security over time to demonstrate continuous improvement.

Application security needs Static Application Security Testing

“Static application security testing (SAST) remains the best pre-release testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.” wrote Amy DeMartine, Principal Analyst and author of The Forrester Wave™: Static Application Security Testing, Q4 2017.

CAST was ranked as a Strong Performer in this report, due to the high accuracy of our findings and breadth of language support. As my colleague wrote in December, SAST is instrumental in helping organizations leverage application security standards and automate the identification and remediation of application security vulnerabilities.

Application security standards supported by CAST

With the release of the Security Dashboard, CAST has expanded its coverage of application security standards to help ensure teams are using secure coding practices as they rapidly work to create or enhance applications, preventing missed defects or high-risk deployments.

CAST Security Dashboard_CWE

The Security Dashboard looks at OWASP and CWE rules throughout the SDLC, including:

  • Risk assessment
  • Static code analysis (SAST)
  • Vulnerability assessment
  • Post-deployment monitoring

To learn more about starting or creating a more robust application security posture, check out my latest article, Two Key Steps to Improve Your Application Security Program.

Filed in: Application Security Risk & Security Software Intelligence Software Security
Tagged: Application Blueprinting application security AppSec Architecture and Governance blueprints build security in DAST design security in IAST SAST secure applications secure coding Secure Design secure engineering Secure Software secure testing security architect security best practices Static Application Security Testing top security solutions
  This report describes the effects of different industrial factors on structural quality. Structural quality differed across technologies with COBOL applications generally having the lowest densities of critical weaknesses, while JAVA-EE had the highest densities. While structural quality differed slightly across industry segments, there was almost no effect from whether the application was in- or outsourced, or whether it was produced on- or off-shore. Large variations in the densities in critical weaknesses across applications suggested the major factors in structural quality are more related to conditions specific to each application. CRASH Report 2020: CAST Research on the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud migration 2.0: shifting priorities for application modernization in 2019 Research Report
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
More Posts from Srinivas >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()