4 Key Elements for Proactive Application Security
We most often hear of the security breaches due to cross site scripting and SQL injection attacks, after the related vulnerabilities have been successfully exploited. But what could we do to prevent such attacks occurring in the first place?
Fri, January 03, 2014
CSO — We most often hear of the security breaches due to cross site scripting and SQL injection attacks, after the related vulnerabilities have been successfully exploited. But what could we do to prevent such attacks occurring in the first place?
A comprehensive security program and team will not only provide reactive measure to incidents and exploits, but also actively work with the in-house information systems teams to build in a proactive software security posture. An effective application security program to proactively build secure code for information systems and software, relies most often on 2 types of automated security testing: static security scan testing and dynamic security scan testing.
A static scan is typically run during the code development cycle where the static code is scanned and through threat modeling and analysis, security flaws are uncovered. A dynamic scan is a scan of the actual code in a working environment and finds vulnerabilities while the code is "in motion" or working, hence the term dynamic. There is also a third type of test called a manual penetration test which involves human interaction through white hat analysis. An effective application security program leverages all three type of security scan testing, with static security and Dynamic security scanning deeply embedded as part of the application development lifecycle and manual penetration testing used sparingly and where needed.
An effective automated code scanning strategy must be as seamless as possible to the IT Development team. The key success factor to an effective automated security program is to require the least amount of additional work from the IT development teams. There is an inverse relationship to the in-cycle work and the success of the proactive security program. The more out of cycle work required the less the adoption and the success rate of the security code scanning program. Code scanning that is out of cycle to the IT application development process will always take time away from the development schedule and will be seen as an additional and unwelcome task. There is an extra effort required to schedule and track the process and maintain status.
The main obstacles for successful adoption of a security code scanning program are:
Manual scan effort
Code scanning that requires manual effort to upload the code, whether by API or through web portal, requires additional development time and effort. In some cases, special compile instructions are required and a special build needed for the scan to work.
Code scanning that is out of cycle of the development process needs a process to be established for timelines to scan and duration before rescan. Dedicated resources need to manage the program to ensure that reminders are set and scans are completed on due dates.