SlideShare a Scribd company logo

10 Steps To Secure Agile Development

Checkmarx
Checkmarx

In Agile’s fast-paced environment with frequent releases, security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without abandoning security best practices? These 10 steps will help you get the best of both worlds.

Technology
1 of 5
Download to read offline
Source Code Analysis Made Easy The AppSec How-To: 10 Steps to Secure Agile Development 10 Steps In Agile’s fast-paced environment and frequent releases, security reviews and testing sound like an impediment to success. How can you keep up with Agile demands of continuous integration and continuous deployment without abandoning security best practices? Companies have found the following ten practices helpful to achieve a holistic secure Software Development Life Cycle (SDLC) process in an Agile SaaS world. The approaches taken by these companies follow a basic philosophy: keeping security as simple as possible and remove any unnecessary load from the development team. 1 Be part of the process Security requirements should be considered as additional development checkpoints. Each benchmark needs to be achieved before proceeding to the next stage of an Agile process. For each step in Agile, associate a security milestone that needs to be achieved. Start already at the post-release planning to perform a security high-level design. This includes the following aspects: - Security in code development. For example, inspect the planned application in terms of which APIs are going to be used. - Security in technologies. Identify technologies that are going to be used. For example, if system testing is performed within a Maven process, security tests should be integrated within this system. - Security in features. For example, forecast any problems associated with regulations. Say, when tracking cookies are used within a product delivered to the UK then prepare compliance to UK privacy regulations. 2 Enforce your policy by using a security package API in each product There are two aspects to this stage: a. Use a security package such as OWASP’s Enterprise Security API (ESAPI). ESAPI is a toolkit which enables the developers to easily consume various utilities. The toolkit provides a variety of out-of-the box utilities such as validators, encoders, encryptors, and randomizers. By using ESAPI, developers do not need to investigate the best security practices and spend time researching correct implementation methods. 1 www.checkmarx.com
Source Code Analysis Made Easy Consider hashing, as an example. Instead of relying on the developer to add a hash salt, the salt can already be implemented as part of the ESAPI configuration. The developer, in turn, is left simply to consume the provided API. Particular emphasis should be made on validators because these prevent the most common Web application vulnerabilities, such as SQLi and XSS. Each organization needs to evaluate where to integrate the validators. Some businesses may decide to apply validators on the controller level (e.g. on the Apache layer or within the Tomcat filter). Other companies prefer to integrate validators within the development code to test each input. While each company needs to decide the right strategy for them, we have found that many companies choose to validate each input within their code. This decision is based on two main reasons: • All the regular expressions that are written to validate the input can be constructed as simple as possible in order to avoid any type of performance issue. These regular expressions are actually more similar to a business-oriented validation. • In case a problem arises- or a specific validator needs to be changed- only the specific input needs to be changed. On the other hand, a higher level validator requires a whole QA process to verify the entire system. One organization we worked with took code-level validation one step further. The particular organization implemented a validator that does not return the traditional true/ false boolean values, but rather returns null if the input is invalid. In this manner, the security team was able to prevent developers from mistakenly using that same value later on in the code. b. Validate that the developers are using the right API. For each input, ensure that the developer uses the right validator as provided by the security team. This entails failure of the security test in case the developer chooses not to use the API. Enforcement can be achieved through source code analysis that is customized to the security team’s requirement. 3 Integrate Source Code Analysis (SCA) within the native process of code management Enforcing the security policy means that the developers cannot proceed with the build process if the checked in code does not comply with policy. To keep up with the fast-paced development environment, the developers must be able to consume the policy without a long training period. The way to address this challenge is by integrating SCA within the different stages of the development process. Particular aspects to pay attention to are: - Integrating the SCA within the build automation tool (such as Maven). Organizations typically run the SCA in two modes. The first is running the scan as incremental tests each time the developer performs a commit. In this way, only the change between the last scan and the current scan is checked. The second is running a full security scan within a full-system test, say during the nightly build. If the build fails, the developer has to fix the flaw before continuing with the development. - Presenting SCA findings within the build management and Continuous Integration server (such as within TeamCity). In case of an SCA alert, it’s more efficient for the developer to click on the finding and dynamically identify the specific vulnerability. 2 www.checkmarx.com
Source Code Analysis Made Easy - Enhancing the SCA with a knowledge base for the developer. Similarly to a developer fixing a compilation error, the developer needs to know how to fix the faulty code. For this, the SCA tool should also contain a knowledge base which describes the risk and the proper remediation advice. 4 Break the build for any “high” or “medium” findings Do not compromise security by releasing a product that contains any high or medium findings. This requires eliminating the flaw already at the build process. Meaning, if the developer checks in a few high security bugs, the build will break. Unless the vulnerabilities are fixed, the developer fails to build a package. 5 Use automation to collaborate with the security dynamic test Dynamic testing within the product can be implemented through positive and negative unit tests. - Use positive testing to validate the input. For instance, a positive test validating input in the form of an email address will test that the characters “@” and “.” appear, but no other special characters. - Complement the positive test through a negative test. The negative test should “pick up” all input that does not conform to the positive test. Using the above scenario, an email address embedding a SQL Injection will be caught by the negative test. Essentially, the complementary negative test acts as the dynamic test. 6 Run a penetration test Engage both professional and your customers as penetration testers: - Perform a penetration testing of the final product by an external vendor. This includes an automated or manual test of the product once it’s released in its Alpha stage. - Allow customers to run a penetration test and work as a community to succeed. The organization must perform all the necessary steps in order to release a secure product. That said, many customers are themselves subjected to regulation which requires running penetration testing on third-party products. The benefit to you? Gaining customer confidence. This is particularly important when talking about Software-as-a-Service (SaaS) products whose success is based on the trust that customers put on their providers. 3 www.checkmarx.com
Source Code Analysis Made Easy 7 Engage technology leaders as security champions by showing them the value Even with large security teams, it is obvious that developers outnumber the security team. To extend security’s outreach, engage with the technology leaders and place them as the security champions. Gaining such cooperation with R&D guarantees that also when security is not physically present, security does come up in each and every scrum meeting. 8 Train developers on a regular basis The point here is not necessarily to establish a formal training process where developers are sent to a Web application security course. There are other means for training, such as: - Providing developers with the security knowledge Enhancing the SCA with the knowledge base of a specific vulnerability, as recommended in one of the practices above, is part of this kind of training. By helping developers understand the risk and its mitigation, security awareness increases whereas developers start viewing security and code differently. - Being accessible to developers. Once security becomes an ingrained process, Q&A from the developers begin to pile up at the security team’s desk. The security team should have an open door policy to address all the developers’ concerns. 9 Provide a collaboration platform for security discussions This practice goes hand in hand with the previous practice on training developers. The point here is to not only accumulate or disseminate information related to security practices. This practice focuses on establishing a security collaboration platform with the intent of sharing information and raising discussions surrounding security issues. 10 Start small but think big Many of these practices, especially the practice of breaking the build for any “high” or “medium” finding, requires the management and superiors support. We recognize that gaining this type of trust is not an easy goal to achieve. Various companies have found the following steps helpful: - Take one small project and turn it to a success story. Listen to R&D during this process. Learn from mistakes and refine the process moving forward. - With one success story under the belt, move on to a new project. Continue refining, and learning from mistakes. Create 2-3 successful stories. - Review the security bugs that are returned by customers. Compare the number of vulnerabilities in one of these success stories with a different project that does not follow the security practices. 4 www.checkmarx.com
Source Code Analysis Made Easy Show management how these vulnerabilities interfere with the normal delivery and maintenance of the product. - Progress to the big legacy project. At first, don’t break the build for security findings in this big project. It is enough at this stage to identify the gaps, close them and create a program of how development will fix the flaws. - Fix the flaws on the legacy system only after achieving confidence. Fix the flaws on the legacy systems only after understanding how to correctly deliver the security package (such as ESAPI), how to inspect it correctly, and where to correctly apply the validation without any impact to the product. - Proceed to the big project in-making. Naturally, this is the ultimate goal and security should already be integrated within the Agile process. At this step, the validators should already be packaged and set within a single framework. 5 www.checkmarx.com

Recommended

AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous IntegrationCoveros, Inc.
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 

Recommended

AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous IntegrationCoveros, Inc.
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOpsCoveros, Inc.
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsArthur Hicken
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationTechWell
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software ComplianceParasoft
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceRapidValue
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous TestingParasoft
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service VirtualizationParasoft
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 

More Related Content

What's hot

Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOpsCoveros, Inc.
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsArthur Hicken
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationTechWell
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software ComplianceParasoft
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceRapidValue
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous TestingParasoft
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service VirtualizationParasoft
 

What's hot (20)

Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing services
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
 
Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software Compliance
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open Source
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
 

Similar to 10 Steps To Secure Agile Development

AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software productsLabSharegroup
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfEnov8
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdfPrancer Io
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaperwardell henley
 
6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test AutomationAutoRABIT
 
An Ultimate Guide to Continuous Testing in Agile Projects.pdf
An Ultimate Guide to Continuous Testing in Agile Projects.pdfAn Ultimate Guide to Continuous Testing in Agile Projects.pdf
An Ultimate Guide to Continuous Testing in Agile Projects.pdfKMSSolutionsMarketin
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CICoveros, Inc.
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityDev Software
 

Similar to 10 Steps To Secure Agile Development (20)

AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdf
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 
6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation
 
An Ultimate Guide to Continuous Testing in Agile Projects.pdf
An Ultimate Guide to Continuous Testing in Agile Projects.pdfAn Ultimate Guide to Continuous Testing in Agile Projects.pdf
An Ultimate Guide to Continuous Testing in Agile Projects.pdf
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Qa analyst training
Qa analyst training Qa analyst training
Qa analyst training
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
 

More from Checkmarx

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisCheckmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceCheckmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisCheckmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsCheckmarx
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterCheckmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!Checkmarx
 

More from Checkmarx (11)

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

10 Steps To Secure Agile Development

  • 1. Source Code Analysis Made Easy The AppSec How-To: 10 Steps to Secure Agile Development 10 Steps In Agile’s fast-paced environment and frequent releases, security reviews and testing sound like an impediment to success. How can you keep up with Agile demands of continuous integration and continuous deployment without abandoning security best practices? Companies have found the following ten practices helpful to achieve a holistic secure Software Development Life Cycle (SDLC) process in an Agile SaaS world. The approaches taken by these companies follow a basic philosophy: keeping security as simple as possible and remove any unnecessary load from the development team. 1 Be part of the process Security requirements should be considered as additional development checkpoints. Each benchmark needs to be achieved before proceeding to the next stage of an Agile process. For each step in Agile, associate a security milestone that needs to be achieved. Start already at the post-release planning to perform a security high-level design. This includes the following aspects: - Security in code development. For example, inspect the planned application in terms of which APIs are going to be used. - Security in technologies. Identify technologies that are going to be used. For example, if system testing is performed within a Maven process, security tests should be integrated within this system. - Security in features. For example, forecast any problems associated with regulations. Say, when tracking cookies are used within a product delivered to the UK then prepare compliance to UK privacy regulations. 2 Enforce your policy by using a security package API in each product There are two aspects to this stage: a. Use a security package such as OWASP’s Enterprise Security API (ESAPI). ESAPI is a toolkit which enables the developers to easily consume various utilities. The toolkit provides a variety of out-of-the box utilities such as validators, encoders, encryptors, and randomizers. By using ESAPI, developers do not need to investigate the best security practices and spend time researching correct implementation methods. 1 www.checkmarx.com
  • 2. Source Code Analysis Made Easy Consider hashing, as an example. Instead of relying on the developer to add a hash salt, the salt can already be implemented as part of the ESAPI configuration. The developer, in turn, is left simply to consume the provided API. Particular emphasis should be made on validators because these prevent the most common Web application vulnerabilities, such as SQLi and XSS. Each organization needs to evaluate where to integrate the validators. Some businesses may decide to apply validators on the controller level (e.g. on the Apache layer or within the Tomcat filter). Other companies prefer to integrate validators within the development code to test each input. While each company needs to decide the right strategy for them, we have found that many companies choose to validate each input within their code. This decision is based on two main reasons: • All the regular expressions that are written to validate the input can be constructed as simple as possible in order to avoid any type of performance issue. These regular expressions are actually more similar to a business-oriented validation. • In case a problem arises- or a specific validator needs to be changed- only the specific input needs to be changed. On the other hand, a higher level validator requires a whole QA process to verify the entire system. One organization we worked with took code-level validation one step further. The particular organization implemented a validator that does not return the traditional true/ false boolean values, but rather returns null if the input is invalid. In this manner, the security team was able to prevent developers from mistakenly using that same value later on in the code. b. Validate that the developers are using the right API. For each input, ensure that the developer uses the right validator as provided by the security team. This entails failure of the security test in case the developer chooses not to use the API. Enforcement can be achieved through source code analysis that is customized to the security team’s requirement. 3 Integrate Source Code Analysis (SCA) within the native process of code management Enforcing the security policy means that the developers cannot proceed with the build process if the checked in code does not comply with policy. To keep up with the fast-paced development environment, the developers must be able to consume the policy without a long training period. The way to address this challenge is by integrating SCA within the different stages of the development process. Particular aspects to pay attention to are: - Integrating the SCA within the build automation tool (such as Maven). Organizations typically run the SCA in two modes. The first is running the scan as incremental tests each time the developer performs a commit. In this way, only the change between the last scan and the current scan is checked. The second is running a full security scan within a full-system test, say during the nightly build. If the build fails, the developer has to fix the flaw before continuing with the development. - Presenting SCA findings within the build management and Continuous Integration server (such as within TeamCity). In case of an SCA alert, it’s more efficient for the developer to click on the finding and dynamically identify the specific vulnerability. 2 www.checkmarx.com
  • 3. Source Code Analysis Made Easy - Enhancing the SCA with a knowledge base for the developer. Similarly to a developer fixing a compilation error, the developer needs to know how to fix the faulty code. For this, the SCA tool should also contain a knowledge base which describes the risk and the proper remediation advice. 4 Break the build for any “high” or “medium” findings Do not compromise security by releasing a product that contains any high or medium findings. This requires eliminating the flaw already at the build process. Meaning, if the developer checks in a few high security bugs, the build will break. Unless the vulnerabilities are fixed, the developer fails to build a package. 5 Use automation to collaborate with the security dynamic test Dynamic testing within the product can be implemented through positive and negative unit tests. - Use positive testing to validate the input. For instance, a positive test validating input in the form of an email address will test that the characters “@” and “.” appear, but no other special characters. - Complement the positive test through a negative test. The negative test should “pick up” all input that does not conform to the positive test. Using the above scenario, an email address embedding a SQL Injection will be caught by the negative test. Essentially, the complementary negative test acts as the dynamic test. 6 Run a penetration test Engage both professional and your customers as penetration testers: - Perform a penetration testing of the final product by an external vendor. This includes an automated or manual test of the product once it’s released in its Alpha stage. - Allow customers to run a penetration test and work as a community to succeed. The organization must perform all the necessary steps in order to release a secure product. That said, many customers are themselves subjected to regulation which requires running penetration testing on third-party products. The benefit to you? Gaining customer confidence. This is particularly important when talking about Software-as-a-Service (SaaS) products whose success is based on the trust that customers put on their providers. 3 www.checkmarx.com
  • 4. Source Code Analysis Made Easy 7 Engage technology leaders as security champions by showing them the value Even with large security teams, it is obvious that developers outnumber the security team. To extend security’s outreach, engage with the technology leaders and place them as the security champions. Gaining such cooperation with R&D guarantees that also when security is not physically present, security does come up in each and every scrum meeting. 8 Train developers on a regular basis The point here is not necessarily to establish a formal training process where developers are sent to a Web application security course. There are other means for training, such as: - Providing developers with the security knowledge Enhancing the SCA with the knowledge base of a specific vulnerability, as recommended in one of the practices above, is part of this kind of training. By helping developers understand the risk and its mitigation, security awareness increases whereas developers start viewing security and code differently. - Being accessible to developers. Once security becomes an ingrained process, Q&A from the developers begin to pile up at the security team’s desk. The security team should have an open door policy to address all the developers’ concerns. 9 Provide a collaboration platform for security discussions This practice goes hand in hand with the previous practice on training developers. The point here is to not only accumulate or disseminate information related to security practices. This practice focuses on establishing a security collaboration platform with the intent of sharing information and raising discussions surrounding security issues. 10 Start small but think big Many of these practices, especially the practice of breaking the build for any “high” or “medium” finding, requires the management and superiors support. We recognize that gaining this type of trust is not an easy goal to achieve. Various companies have found the following steps helpful: - Take one small project and turn it to a success story. Listen to R&D during this process. Learn from mistakes and refine the process moving forward. - With one success story under the belt, move on to a new project. Continue refining, and learning from mistakes. Create 2-3 successful stories. - Review the security bugs that are returned by customers. Compare the number of vulnerabilities in one of these success stories with a different project that does not follow the security practices. 4 www.checkmarx.com
  • 5. Source Code Analysis Made Easy Show management how these vulnerabilities interfere with the normal delivery and maintenance of the product. - Progress to the big legacy project. At first, don’t break the build for security findings in this big project. It is enough at this stage to identify the gaps, close them and create a program of how development will fix the flaws. - Fix the flaws on the legacy system only after achieving confidence. Fix the flaws on the legacy systems only after understanding how to correctly deliver the security package (such as ESAPI), how to inspect it correctly, and where to correctly apply the validation without any impact to the product. - Proceed to the big project in-making. Naturally, this is the ultimate goal and security should already be integrated within the Agile process. At this step, the validators should already be packaged and set within a single framework. 5 www.checkmarx.com