Application security, as viewed by standards bodies like Object Management Group (OMG), is an architectural issue. OMB reports that over 90 percent of software outages are caused by architectural design flaws. Despite the heightened awareness and business priority around breach prevention, we see these problems persist because there remains a lack of visibility into secure software design.
Application security requires a team approach to secure application architecture
For most organizations, software development is a highly decentralized and compartmentalized process. Security teams, QA professionals, Architects and Developers largely operate under different mandates and only occasionally come together to align on output, productivity and security goals. For example, software architects are typically focused on enabling end-user functionality with optimal software design and don’t always consider ways software can be breached.
To reduce these hurdles and help teams secure software development, CAST has released a Security Dashboard that unites these teams around Software Intelligence based on the structural analysis of software, pointing to the most important and critical security flaws in design.
The CAST Security Dashboard generates accurate security findings by blueprinting architectural dependencies in software to reduce noise and false positives while helping teams:
- Design security into applications from the beginning of the SDLC.
- Secure architectural governance to ensure maximum uptime.
- Focus effort on contextual and critical security vulnerabilities by eliminating false positives.
- Benchmark application security over time to demonstrate continuous improvement.
Application security needs Static Application Security Testing
“Static application security testing (SAST) remains the best pre-release testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.” wrote Amy DeMartine, Principal Analyst and author of The Forrester Wave™: Static Application Security Testing, Q4 2017.
CAST was ranked as a Strong Performer in this report, due to the high accuracy of our findings and breadth of language support. As my colleague wrote in December, SAST is instrumental in helping organizations leverage application security standards and automate the identification and remediation of application security vulnerabilities.
Application security standards supported by CAST
With the release of the Security Dashboard, CAST has expanded its coverage of application security standards to help ensure teams are using secure coding practices as they rapidly work to create or enhance applications, preventing missed defects or high-risk deployments.
The Security Dashboard looks at OWASP and CWE rules throughout the SDLC, including:
- Risk assessment
- Static code analysis (SAST)
- Vulnerability assessment
- Post-deployment monitoring
To learn more about starting or creating a more robust application security posture, check out my latest article, Two Key Steps to Improve Your Application Security Program.