Welcome to another round of Agile SDLC Q&A. Last week Ryan and I took some time to answer questions from our webinar, “Building Security Into the Agile SDLC: View from the Trenches“; in case you missed it, you can see Part I here. Now on to more of your questions! Q. What would you recommend […]
Recently, Ryan O’Boyle and I hosted the webinar “Building Security Into the Agile SDLC: View From the Trenches”. We would like to take a minute to thank all those who attended the live broadcast for submitting questions. There were so many questions from our open discussion following the webinar that we wanted to take the […]
I’ve always liked code reviews. Can I make others like them too? I’ve understood the benefit of code reviews, and enjoyed them, for almost as long as I’ve been developing software. It’s not just the excuse to attack others (although that can be fun), but the learning—looking at solutions other people come up with, hearing […]
A large-scale deployment of the Veracode static code analysis tool across a large enterprise presents a number of unique challenges such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-month time frame.
So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.
The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new tool for developers, which will assist in the development process and produce better code.
With reports of website vulnerabilities and data breaches regularly featuring in the news, securing the software development life cycle (SDLC) has never been so important. The enterprise must, therefore, choose carefully the correct security techniques to implement. Static and dynamic analyses are two of the most popular types of security test. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC. Testing, after all, can be considered an investment that should be carefully monitored.
As information security professionals, we must pursue any opportunity to evolve our approach to Application Security. Most enterprises with in-house development teams do some kind of ad hoc AppSec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven AppSec Program Maturity Curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.
At On-Line Strategies [OLS], many of the tools we use in our Software Development Lifecycle (SDLC) have helpful APIs, including Veracode. We leverage them to automate tasks that were once performed manually by developers or technical managers, such as running a Veracode static scan on a pending release.
Today, our Veracode static scans run alongside automated regression tests for every public release, to ensure we catch security flaws that may have slipped by our developers.
In the last year or so that I’ve been a member of Veracode’s Customer Success team, I’ve found that I have been hearing the same remarks from an array of organizations- “We must implement Secure Coding practices in order to retain a positive brand image, but we’re up against very strict deadlines and need to get our code out fast!” As we work with Security and Development teams alike, this statement starts a discussion which typically unravels until we get to a question that is asked again and again…
A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from Veracode SoSS vol 5), it is clear more attention needs to be given to secure programming techniques.