Best Practices for Securing Your SDLC

Organizations developing software must manage a difficult balance between increased functionality, meeting time to market deadlines and security testing. With high-profile attacks at the application level and brands at risk, organizations are increasingly realizing that security testing has to be an integral part of the software development lifecycle.

A Fundamentally Better Way for Securing Your SDLC

Veracode’s automated, on-demand application security testing service is based on four core principles that provide a fundamentally better and easier way to solve the application security testing challenge:

1. Outsource Application Security Testing to Reduce Burdens on Developers

Developers and QA personnel easily become overwhelmed with learning multiple testing tools, installing new versions and weeding through hundreds of pages of unfiltered results. Using an outsourced application security testing service, like Veracode, allows developers to focus on coding great functionality and fixing critical vulnerabilities - which significantly improves their productivity. Gartner predicts that by 2010 50% of leading organizations will use some form of external service provider for application security scanning services.

2. Implement Proper Separation of Duties and Avoid the “Fox Guarding the Henhouse” Syndrome

Various compliance regulations, malicious insider activity and external customers require independent verification and validation of software development activities to ensure the security of your applications. Leveraging an outsourced security testing vendor, such as Veracode, ensures separation of duties providing independent verification of your application’s security based on industry-standard security ratings.

3. Utilize Multiple Testing Techniques for Full Flaw Coverage

Common testing techniques include static application security testing (white-box analysis) and dynamic security testing (black-box analysis). Leading analysts including Gartner and The Burton Group, recommend using both testing techniques, especially for higher assurance applications, to ensure that all possible vulnerabilities have been discovered. Leveraging Veracode as your single vendor for multiple techniques will provide a common user experience, results that correlate findings from multiple techniques and coverage of all applications types for your SDLC.

4. Test 100 % of Your Code - Including 3rd Party and Open Source Applications, Components & Libraries

The security of any application is only as good as its weakest link, which is often found in software dependencies such as bundled 3rd party or open source applications, components or libraries. Traditional tools focus on security testing of source code early on in the SDLC before 3rd party components are integrated into the build. This provides a limited and incomplete view of the application’s security level. Additionally, 3rd party libraries, components and off-shore development efforts are not available in source code format. Organizations should take a holistic approach to security by testing their entire application supply chain comprised of both internally and externally developed code. This can be most easily achieved by leveraging static binary and dynamic testing techniques that do not require any source code as the final security check before release or shipping.