Skip to main content
March 13, 2015

Use multiple techniques for security assessments

In my last blog post, I elaborated on how development teams can embed security into an actual agile sprint. My recommendations centered on keeping developers working efficiently within their toolchain in order for them to complete stories within the sprint. Now I want to talk to you about comprehensive security testing.

Using multiple assessment techniques ensures better coverage and accuracy. Binary static analysis can analyze the application’s data and control paths without executing the application. This is the one that we use internally prior to every check-in and on an automated schedule to provide quick and actionable results. It works well for all parts of your development cycle. Once you have a functionally complete application or release candidate, it’s time to broaden the scope of testing. Dynamic analysis (DAST) identifies exploitable vulnerabilities, at run time, in web applications that are in pre-production staging (or public-facing). Manual penetration testing examines applications for specific vulnerabilities that require manual inspection — such as Cross-Site Request Forgery (CSRF) or business logic issues. Behavioral analysis enables mobile developers to identify risky application behaviors that can put confidential data at risk.

Dark Reading recently reported the growing trend in usage of third-party and open source components which can comprise up to 90 percent of a given application.  Software composition analysis is used to identify vulnerabilities in open source components and frameworks that are often leveraged to speed up the development process. In fact, Veracode's software composition analysis service recently determined that external components embed an average of 24 known vulnerabilities into every web application. 

This highlights the reality that external components aren't designed for use in a specific industry or to meet any particular compliance standard, meaning they don't undergo the same kind of rigorous testing as in-house apps. For the increasing number of developers who rely on third-party and open source components to quickly build and ship software, the reality of sacrificing security becomes even more evident. The appropriate combination of techniques — ideally in a single platform with consistent policies, metrics and reporting — gives enterprises the broadest view of application security.

Stay tuned for my next post on taking agile development to the next level through automation. In the meantime, I’d love to hear any thoughts you can share with regards to various security assessment techniques you’ve leveraged.

Related Content

More PETETalks

Think Like a Developer

Find it Early, Fix it Early

Related Content

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.