In my last blog post, I elaborated on how development teams can embed security into an actual agile sprint. My recommendations centered on keeping developers working efficiently within their toolchain in order for them to complete stories within the sprint. Now I want to talk to you about comprehensive security testing.
Using multiple assessment techniques ensures better coverage and accuracy. Binary static analysis can analyze the application’s data and control paths without executing the application. This is the one that we use internally prior to every check-in and on an automated schedule to provide quick and actionable results. It works well for all parts of your development cycle. Once you have a functionally complete application or release candidate, it’s time to broaden the scope of testing. Dynamic analysis (DAST) identifies exploitable vulnerabilities, at run time, in web applications that are in pre-production staging (or public-facing). Manual penetration testing examines applications for specific vulnerabilities that require manual inspection — such as Cross-Site Request Forgery (CSRF) or business logic issues. Behavioral analysis enables mobile developers to identify risky application behaviors that can put confidential data at risk.
Dark Reading recently reported the growing trend in usage of third-party and open source components which can comprise up to 90 percent of a given application. Software composition analysis is used to identify vulnerabilities in open source components and frameworks that are often leveraged to speed up the development process. In fact, Veracode's software composition analysis service recently determined that external components embed an average of 24 known vulnerabilities into every web application.
This highlights the reality that external components aren't designed for use in a specific industry or to meet any particular compliance standard, meaning they don't undergo the same kind of rigorous testing as in-house apps. For the increasing number of developers who rely on third-party and open source components to quickly build and ship software, the reality of sacrificing security becomes even more evident. The appropriate combination of techniques — ideally in a single platform with consistent policies, metrics and reporting — gives enterprises the broadest view of application security.
Stay tuned for my next post on taking agile development to the next level through automation. In the meantime, I’d love to hear any thoughts you can share with regards to various security assessment techniques you’ve leveraged.
- Google Hangout Recording: Building Security into the Agile SDLC: Two Sides to the Coin
- SANS Survey on Application Security Programs and Practices
- Webinar: Building Security Into the Agile SDLC: View from the Trenches