Takeaways from ESRM: Not All AppSec Programs Are Created Equal

by

The recent ESRM event in London was the place to be last week to hear about all things application security. Throughout the day, it was clear there are many approaches to securing software within an organisation. My own presentation was focused on the software built within organisations and the obvious truth that not everybody knows what they need to about their own applications.

Using Software Intelligence to conduct a contextual analysis of software can help reduce false positives that are frequently flagged by traditional code checking tools, which are table stakes at this point. Contextual software analysis dives deeper than “code smells” to identify more complex and sophisticated flaws that can have a big impact on business operations.
These include:

  • Malicious code gaining forbidden access to data
  • Lack of input validation
  • Back door entry points
 
Data Protection

Most solutions that identify these vulnerabilities can be further customised to prioritise security violations important to your specific organisation. It’s important to consider the OWASP Top 10 and CWE Top 25 most dangerous software errors in these cases. The Consortium for IT Software Quality has the combined CISQ Top 22 most critical weaknesses (from CWE and OWASP) that can be found through contextual software analysis.

These lists of known security vulnerabilities are invaluable to development teams as they build robust and secure enterprise applications. But security weaknesses go beyond apps developed in-house. In fact, CAST recently published the Software Intelligence Report on Open Source Software to examine how Software Intelligence can be used to find security vulnerabilities in frequently used OSS projects.

 
Application Blueprint

Understanding your organisation’s software fully, may never be achievable, but understanding it as much as you can will enable you to build and secure better software. CAST’s unique blueprinting capabilities can help dev teams gather unprecedented visibility into the design and functionality of mission-critical software. And as we like to say, a picture is worth a thousand words!

 

To download a complementary version of the Software Intelligence Report on OSS, please click here.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Richard Symmonds Technical Director
Richard is a proven technologist with more than 20 years of experience in the field. He specializes in the optimization of software development lifecycles using waterfall and agile (Scrum and Kanban). He has managed global development teams of more than 100 individuals and is experienced with offshore, near shore and insourcing.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|