Application Security: Smart Software Design Techniques to Shift Left

Apr 13, 2018 by Richard Symmonds

Application security is a major challenge for IT organisations that are adopting DevOps and DevSecOps in hopes to build better applications, improve application security and support an influx of business demands. Shifting-left is not a new concept in IT, however the majority of shift-left methods remain focused on software testing. This is not enough to ensure software security from the outset.

Application security and shifting left
Popular developer learning community DZone recommends shifting-left on design thinking. But they define design thinking as defining and understanding business requirements in the design stage of software development. No doubt, this is a very important step – one that should not be overlooked – particularly given the statistic that 70% of software projects fail due to poor requirements. What this mindset fails to recognise, though, is that software design should include an objective understanding and blueprint of as-is and to-be software architecture. You want to understand your current application and how security can be built-in as part of any changes or additions.

Establishing a blueprint of complex software of as-is software at the design stage guides ongoing software development and IT modernisation efforts by providing contextual software analysis at the beginning and along the way.

Research from Forrester suggests that incorporating Static Application Security Testing (SAST) in software design “remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing have trouble finding.” Security and development professionals should use SAST because:

 

  • SAST helps developers fix security weaknesses while they develop.
  • SAST helps teach developers how to write secure code.

Beyond the benefits listed by Forrester, introducing this kind of Software Intelligence at the design stage aids in the establishment of architectural rules that are specific to the requirements of your environment. In fact, I’m speaking on this exact subject at the upcoming Enterprise Security and Risk Management conference in London this month.

Application security built into software must include:

  • Ensuring application security in design and build stages via contextual software analysis or similar measures.
  • Leveraging contextual software analysis to ensure security in design and build.
  • Establishing a measurement process to benchmark and assess software risk in your development cycles.

If you’re beginning a new project or in the middle of a modernisation effort, check out our Two Key Steps to Improve Your Application Security Program. Getting accurate and comprehensive analytics about the quality and security of your software is possible and automatable.

Filed in: Application Security Software Intelligence Software Security
Tagged: application architecture Application Blueprinting application security AppSec breach cve cwe data breach Data Security DevOps DevSecOps OWASP OWASP top ten PCI protect data SAST Secure application architecture secure coding Secure coding practices secure testing security testing best practices software blueprinting Software security
  This report describes the effects of different industrial factors on structural quality. Structural quality differed across technologies with COBOL applications generally having the lowest densities of critical weaknesses, while JAVA-EE had the highest densities. While structural quality differed slightly across industry segments, there was almost no effect from whether the application was in- or outsourced, or whether it was produced on- or off-shore. Large variations in the densities in critical weaknesses across applications suggested the major factors in structural quality are more related to conditions specific to each application. CRASH Report 2020: CAST Research on the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud migration 2.0: shifting priorities for application modernization in 2019 Research Report
Richard Symmonds
Richard Symmonds Technical Director
Richard is a proven technologist with more than 20 years of experience in the field. He specializes in the optimization of software development lifecycles using waterfall and agile (Scrum and Kanban). He has managed global development teams of more than 100 individuals and is experienced with offshore, near shore and insourcing.
More Posts from Richard >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()