Application Security: Smart Software Design Techniques to Shift Left

Apr 13, 2018 by Richard Symmonds

Application security is a major challenge for IT organisations that are adopting DevOps and DevSecOps in hopes to build better applications, improve application security and support an influx of business demands. Shifting-left is not a new concept in IT, however the majority of shift-left methods remain focused on software testing. This is not enough to ensure software security from the outset.

Application security and shifting left
Popular developer learning community DZone recommends shifting-left on design thinking. But they define design thinking as defining and understanding business requirements in the design stage of software development. No doubt, this is a very important step – one that should not be overlooked – particularly given the statistic that 70% of software projects fail due to poor requirements. What this mindset fails to recognise, though, is that software design should include an objective understanding and blueprint of as-is and to-be software architecture. You want to understand your current application and how security can be built-in as part of any changes or additions.

Establishing a blueprint of complex software of as-is software at the design stage guides ongoing software development and IT modernisation efforts by providing contextual software analysis at the beginning and along the way.

Research from Forrester suggests that incorporating Static Application Security Testing (SAST) in software design “remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing have trouble finding.” Security and development professionals should use SAST because:

  • SAST helps developers fix security weaknesses while they develop.
  • SAST helps teach developers how to write secure code.

Beyond the benefits listed by Forrester, introducing this kind of Software Intelligence at the design stage aids in the establishment of architectural rules that are specific to the requirements of your environment. In fact, I’m speaking on this exact subject at the upcoming Enterprise Security and Risk Management conference in London this month.

Application security built into software must include:

  • Ensuring application security in design and build stages via contextual software analysis or similar measures.
  • Leveraging contextual software analysis to ensure security in design and build.
  • Establishing a measurement process to benchmark and assess software risk in your development cycles.

If you’re beginning a new project or in the middle of a modernisation effort, check out our Two Key Steps to Improve Your Application Security Program. Getting accurate and comprehensive analytics about the quality and security of your software is possible and automatable.

Filed in: Application Security Software Intelligence Software Security
Tagged: application architecture Application Blueprinting application security AppSec breach cve cwe data breach Data Security DevOps DevSecOps OWASP OWASP top ten PCI protect data SAST Secure application architecture secure coding Secure coding practices secure testing security testing best practices software blueprinting Software security
Get the Pulse Newsletter Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST) market, we identified the 10 most significant vendors — CAST, CA Veracode, Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys — and researched, analyzed, and scored them. This report shows how each measures up and helps security professionals make the right choice. Forrester Wave: Static Application Security Testing, Q4 2017 Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud migration 2.0: shifting priorities for application modernization in 2019 Research Report
Richard Symmonds
Richard Symmonds Technical Director
Richard is a proven technologist with more than 20 years of experience in the field. He specializes in the optimization of software development lifecycles using waterfall and agile (Scrum and Kanban). He has managed global development teams of more than 100 individuals and is experienced with offshore, near shore and insourcing.
More Posts from Richard >>
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|

Get a Demo    •    Contact Us    •     Support    •     The Software Intelligence Pulse    •     Privacy Policy    •     SiteMap    •     Glossary    •     Archive

Copyright 2019 - CAST | All Rights Reserved