Best Practices Around Integrating Security Into the SDLC

Secure coding is a challenge that every software company in the world faces. Even the largest companies that attract the best developers in the world (Read: Google, Facebook) have had instances of vulnerabilities in their code ranging from XSS to SQL injection to backdoors. The software industry is the world's largest manufacturing industry ($400B) with NO notion of security quality! Before we jump further into the topic let's take a look at why insecure code exists in the first place.

Why Insecure Code Gets Written

There are a few reasons why insecure code exists in the first place and it's not an issue easily solved. Among these reasons are variables like schedule pressure, any developer can understand the pressure of deadlines and management pushing to have software out before it is properly checked for vulnerabilities. Developer education is another variable that is inconsistent and difficult to avoid. There's no standardized certification that allows a company to avoid having to deal with the various backgrounds in coding each developer brings to the table. This ties directly in with the ever evolving landscape of internet software which always introduces new vulnerabilities and changing threats. Every innovation in software brings a new set of potential vulnerabilities that have to be accounted for, checked and assessed across a variety of platforms. Secure coding is an extensive process but a necessary one to safeguard your software for the future.

Traditional Approaches to Secure Coding

There are four common approaches to securing code and each comes with benefits and drawbacks. Let's summarize each quickly;

1: Security Consultants

Hiring independent security consultants typically gives the highest quality results (dependent naturally on the quality of the consultants themselves). However the problems with doing so are that Security Consultants are very expensive compared to other options, they are also in short supply which leads to longer processing time that is often very detrimental to development life cycles.

2: Developers

In house developers are a natural solution to the secure coding issue but they're often not provided with the proper "contextual" security training required to solve the unique vulnerabilities their code may be exposed to. There is also the issue of priorities within the company where other tasks may take the time that should be devoted to code analysis.

3: SDLC Processes

The implementation of secure coding processes directly into your business' SDLC is perhaps the most ideal solution yet also the most difficult. They can take years to fine tune properly and as a result have an extremely low adoption rate; less than 1% of US companies are CMMI Level 5 certified. So what is the best option for integrating security into your company's SDLC? Veracode offers a key innovation in code level binary assessments, what does this mean? Read on to learn more.

4: Code Level Binary Assessments

Binaries are the attack surface for hackers. They are the computer executed code that is exposed across the internet to anyone interested in accessing your programs, the final product so to say. A Binary is the result of the code you write, any 3rd party software you integrate, along with open source, outsourced and crowd sourced code that goes into your application. The benefits of binary assessments are numerous. They include all supply chain security risks and because the scanned code is the executable, there's no risk of compromising your intellectual property. The information from binaries provide key linkages to traditional perimeter defense solutions like backdoors and malicious code that typically lives in binaries. Binary assessment is the singular innovation required to leverage the Cloud to create a highly scaleable managed testing service.

"Only one vendor, Veracode, has an offering that can perform a true binary analysis." - Gartner

Cloud-Based Platform-As-A-Service

Veracode delivers a cloud-based application security testing platform.   Veracode customers upload their applications to Veracode's cloud based platform.  The Veracode Platform runs various security scans against the uploaded application.  Veracode provides a report that allows developers to fix and correct the flaws found in the application code.

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (2)

Dave | June 25, 2013 4:02 pm

Can the veracode API also scan non binary code? This would be an even earlier scan in the SDLC ... saves time and money to learn of problems as early as possible.

Please advise.


ndupaul | June 26, 2013 12:51 pm

Dave - Yes we can, though there are some dependencies on the language and platform you're using. See our full list of supported languages/platforms here:

Please feel free to reach out if we can answer any more questions.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.