Application Security: Next-Gen Security Includes Architectural Blueprinting

by

Application security, as viewed by standards bodies like Object Management Group (OMG), is an architectural issue.  OMB reports that over 90 percent of software outages are caused by architectural design flaws. Despite the heightened awareness and business priority around breach prevention, we see these problems persist because there remains a lack of visibility into secure software design.

Application security requires a team approach to secure application architecture

For most organizations, software development is a highly decentralized and compartmentalized process. Security teams, QA professionals, Architects and Developers largely operate under different mandates and only occasionally come together to align on output, productivity and security goals. For example, software architects are typically focused on enabling end-user functionality with optimal software design and don’t always consider ways software can be breached.

To reduce these hurdles and help teams secure software development, CAST has released a Security Dashboard that unites these teams around Software Intelligence based on the structural analysis of software, pointing to the most important and critical security flaws in design.

CAST Security Dashboard

The CAST Security Dashboard generates accurate security findings by blueprinting architectural dependencies in software to reduce noise and false positives while helping teams:

  • Design security into applications from the beginning of the SDLC.
  • Secure architectural governance to ensure maximum uptime.
  • Focus effort on contextual and critical security vulnerabilities by eliminating false positives.
  • Benchmark application security over time to demonstrate continuous improvement.

Application security needs Static Application Security Testing

“Static application security testing (SAST) remains the best pre-release testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.” wrote Amy DeMartine, Principal Analyst and author of The Forrester Wave™: Static Application Security Testing, Q4 2017.

CAST was ranked as a Strong Performer in this report, due to the high accuracy of our findings and breadth of language support. As my colleague wrote in December, SAST is instrumental in helping organizations leverage application security standards and automate the identification and remediation of application security vulnerabilities.

Application security standards supported by CAST

With the release of the Security Dashboard, CAST has expanded its coverage of application security standards to help ensure teams are using secure coding practices as they rapidly work to create or enhance applications, preventing missed defects or high-risk deployments.

CAST Security Dashboard_CWE

The Security Dashboard looks at OWASP and CWE rules throughout the SDLC, including:

  • Risk assessment
  • Static code analysis (SAST)
  • Vulnerability assessment
  • Post-deployment monitoring

To learn more about starting or creating a more robust application security posture, check out my latest article, Two Key Steps to Improve Your Application Security Program.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|