Application Security: Smart Software Design Techniques to Shift Left

Apr 13, 2018 by Richard Symmonds

Application security is a major challenge for IT organisations that are adopting DevOps and DevSecOps in hopes to build better applications, improve application security and support an influx of business demands. Shifting-left is not a new concept in IT, however the majority of shift-left methods remain focused on software testing. This is not enough to ensure software security from the outset.

Application security and shifting left
Popular developer learning community DZone recommends shifting-left on design thinking. But they define design thinking as defining and understanding business requirements in the design stage of software development. No doubt, this is a very important step – one that should not be overlooked – particularly given the statistic that 70% of software projects fail due to poor requirements. What this mindset fails to recognise, though, is that software design should include an objective understanding and blueprint of as-is and to-be software architecture. You want to understand your current application and how security can be built-in as part of any changes or additions.

Establishing a blueprint of complex software of as-is software at the design stage guides ongoing software development and IT modernisation efforts by providing contextual software analysis at the beginning and along the way.

Research from Forrester suggests that incorporating Static Application Security Testing (SAST) in software design “remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing have trouble finding.” Security and development professionals should use SAST because:

 

  • SAST helps developers fix security weaknesses while they develop.
  • SAST helps teach developers how to write secure code.

Beyond the benefits listed by Forrester, introducing this kind of Software Intelligence at the design stage aids in the establishment of architectural rules that are specific to the requirements of your environment. In fact, I’m speaking on this exact subject at the upcoming Enterprise Security and Risk Management conference in London this month.

Application security built into software must include:

  • Ensuring application security in design and build stages via contextual software analysis or similar measures.
  • Leveraging contextual software analysis to ensure security in design and build.
  • Establishing a measurement process to benchmark and assess software risk in your development cycles.

If you’re beginning a new project or in the middle of a modernisation effort, check out our Two Key Steps to Improve Your Application Security Program. Getting accurate and comprehensive analytics about the quality and security of your software is possible and automatable.

Filed in: Application Security Software Intelligence Software Security
Tagged: application architecture Application Blueprinting application security AppSec breach cve cwe data breach Data Security DevOps DevSecOps OWASP OWASP top ten PCI protect data SAST Secure application architecture secure coding Secure coding practices secure testing security testing best practices software blueprinting Software security
Cloud Smart: How to Ensure an Efficient and Secure Journey
Cloud Smart: How to Ensure an Efficient and Secure Journey
Recorded Webinar
Software Intelligence at the core of M&A Advisory

Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services. 

Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the target’s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.

Video Interview
Eliminate vulnerabilities while improving performance
CAST AIP was implemented for a Federal Law Enforcement Agency in the US. CAST AIP helped identify and resolve several critical violations and flaws in the software leading to an immediate saving of ~ $250K in software maintenance.
Case Study
Richard Symmonds
Richard Symmonds Technical Director
Richard is a proven technologist with more than 20 years of experience in the field. He specializes in the optimization of software development lifecycles using waterfall and agile (Scrum and Kanban). He has managed global development teams of more than 100 individuals and is experienced with offshore, near shore and insourcing.
More Posts from Richard >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()