4 key elements for proactive application security

We most often hear of the security breaches due to cross site scripting and SQL injection attacks, after the related vulnerabilities have been successfully exploited. But what could we do to prevent such attacks occurring in the first place?

A comprehensive security program and team will not only provide reactive measure to incidents and exploits, but also actively work with the in-house information systems teams to build in a proactive software security posture. An effective application security program to proactively build secure code for information systems and software, relies most often on 2 types of automated security testing: static security scan testing and dynamic security scan testing.

A static scan is typically run during the code development cycle where the static code is scanned and through threat modeling and analysis, security flaws are uncovered. A dynamic scan is a scan of the actual code in a working environment and finds vulnerabilities while the code is "in motion" or working, hence the term dynamic. There is also a third type of test called a manual penetration test which involves human interaction through white hat analysis. An effective application security program leverages all three type of security scan testing, with static security and Dynamic security scanning deeply embedded as part of the application development lifecycle and manual penetration testing used sparingly and where needed.

An effective automated code scanning strategy must be as seamless as possible to the IT Development team. The key success factor to an effective automated security program is to require the least amount of additional work from the IT development teams. There is an inverse relationship to the in-cycle work and the success of the proactive security program. The more out of cycle work required the less the adoption and the success rate of the security code scanning program. Code scanning that is out of cycle to the IT application development process will always take time away from the development schedule and will be seen as an additional and unwelcome task. There is an extra effort required to schedule and track the process and maintain status.

The main obstacles for successful adoption of a security code scanning program are:

Manual scan effort

Code scanning that requires manual effort to upload the code, whether by API or through web portal, requires additional development time and effort. In some cases, special compile instructions are required and a special build needed for the scan to work.

Manual process

Code scanning that is out of cycle of the development process needs a process to be established for timelines to scan and duration before rescan. Dedicated resources need to manage the program to ensure that reminders are set and scans are completed on due dates.

Code coverage

An old adage in testing is that you cannot test what you don't know. Out of cycle testing that requires a developer to upload code is also dependent on the developer to upload the correct code for static code scanning. Verification that all the libraries and dependent code is uploaded is a near impossible task for the security team maintaining the program. A single file could be uploaded for static scanning and the resultant product scan would show as passed for that product on a dashboard, unless someone manually verified the file uploaded. For a large IS program this is very time consuming process to verify across hundreds of security scans An effective application static and dynamic code scanning program has four key elements:

On premise

Continuously scanning

Tightly integrated with the development build cycle

Tightly integrated with the defect tracking system

1. On premise

A scanning program that is on premise and linked to the source control system now removes the dependency for a developer to take the time to find the code, do special compiles and upload the code. Instead, the right location of the code is selected in the source control tree and regular scanning is setup for all the child files. An on premise Dynamic scanning solution also makes it easier for dynamic scanning since no firewall rule changes are required for external tools from the scan test provider to access the test website.

2. Continuous scanning

On premise systems can be setup for continuous scanning which will not require manual intervention to upload the code. On premise systems can also be configured to scan continuously or periodically and because of the on premise setup, can scan far more frequently that a manually uploaded, manually configured scan.

3. Tightly integrated with the development build cycle

A scanning program tightly integrated with the source control and build system allows for code scanning to leverage many source control and build system features. For example advanced development teams using continuous build integration from their source control, can configure the build system to pass certain test gates before a developer's build can be integrated or checked in to the main code base. Code security scanning tests can be setup to be one of these test gates much like Performance tests or unit tests.

4. Tightly integrated with the defect tracking system

Most modern source control and build systems are also tightly integrated with the defect tracking system such that a software defect can be tied to a particular version of code checked in which in turn can be tied to a particular system build. A code scanning program that can automatically create defects within the existing defect management system will allow for less out of cycle time and will seamlessly integrate and absorb security defects into the team defect backlog.

Effective proactive security requires code scanning to be as unobtrusive into the application development cycle as possible. The more the security scan can work like an existing development process, the better the chance of successful adoption and continuous use by the development teams.

George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Viegas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place