Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
SYS-CON.TV
Today's Top SOA Links


Strengthening Application Security | @CloudExpo #API #Cloud #Security
As software continues to pervade our lives, the security of that software continues to grow in importance

Strengthening Application Security in the Software Development Lifecycle

As software continues to pervade our lives, the security of that software continues to grow in importance. We need to keep private data private. We need to protect financial transactions and records. We need to protect online services from infiltration and attack.

We can obtain this protection through ‘Application Security,' which is all about building and delivering software that is safe and secure. Developing software within an integrated toolchain can greatly enhance security.

What's Application Security?
Application Security encompasses activities such as:

  • Analyzing and testing software for security vulnerabilities
  • Managing and fixing vulnerabilities
  • Ensuring compliance with security standards
  • Reporting security statistics and metrics

There are several different categories of these tools, however, the following are the most interesting in terms of software integration:

  • Static Application Security Testing (SAST) - used to analyze an application for security vulnerabilities without running it. This is accomplished by analyzing the application's source code, byte code, and/or binaries for common patterns and indications of vulnerabilities.
  • Dynamic Application Security Testing (DAST) - analyze a running application for security vulnerabilities. They do this by automatically testing the running application against common exploits. This is similar to penetration testing (pen testing), but it is fully automated
  • Security Requirements tools - used for defining, prioritizing, and managing security requirements. These tools take the approach of introducing security directly into the software development lifecycle as specific requirements. Some of these tools can automatically generate security requirements based on rules and common security issues in a specified domain.

Other categories of Application Security tools, such as Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) tools, are more focused on managing and defending against known security vulnerabilities in deployed software, and are somewhat less interesting for integration.

There are many vendors of Application Security tools. Some of the most popular are Whitehat, which makes SAST and DAST tools; IBM, whose AppScan suite includes several SAST and DAST tools; SD Elements, who makes Security Requirements tools; HPE, whose Fortify suite includes SAST, DAST, and RASP tools; Veracode, which produces SAST and DAST tools; and Checkmarx, offering a source code analysis SAST tool.

How is software integration relevant to application security?
When looking to integrate new tools into your software delivery process, it is important to first identify the stakeholders of those tools, and the assets consumed by and artifacts produced by those tools.

The most common stakeholders of Application Security tools are:

  • Security Professionals: write security requirements, prioritize vulnerabilities, configure rules for SAST and DAST tools, and consume security statistics, metrics, and compliance reports
  • Developers: implement security requirements in the software they are building, and fix vulnerabilities reported by SAST and DAST tools
  • Testers: create and execute manual security test plans based on security requirements
  • Managers: consume high level security reports, with a focus on the business and financial benefits of security efforts.

Common assets consumed by Application Security tools include:

  • Source code
  • Byte code
  • Binaries
  • Security rules

Common artifacts produced by Application Security include:

  • Vulnerabilities
  • Suggested fixes
  • Security requirements
  • Security statistics and metrics

With so many people and assets involved in the workflow, we need all stakeholders to be able to trace artifacts, spot vulnerabilities and have automated reporting to be able to address any issues as they arise. An integrated workflow does this, as illustrated in the below workflow.

Common integration scenarios
The three Software Lifecycle Integration (SLI) patterns we'll be looking at are Requirements Traceability, Security Vulnerabilities to Development, and the Consolidated Reporting Unification Pattern.

  • Requirements Traceability: The goal is to be able to trace each code change all the way back up to the original requirement. When it comes to Application Security, we want security requirements to be included in this traceability graph. To accomplish this we need to link requirements generated and managed by Security Requirements tools into the Project and Portfolio Management (PPM), Requirements Management, and/or Agile tools where we manage other requirements and user stories.
  • Security Vulnerabilities to Development: This is about automatically reporting security vulnerabilities to our development teams to quickly fix them. To accomplish this we need to link vulnerabilities reported by SAST and DAST tools into our Defects Management or Agile tools, where developers will see them and work on a fix.
  • Consolidated Reporting Unification Pattern: Aims to consolidate development data from the various tools used by teams across an organization so that unified reports can be generated. When it comes to Application Security, we want data about security requirements and vulnerabilities included so that it can be reported on too. We need to collect these artifacts produced by our Application Security tools into our data warehouse.
About David King
David King is a Customer Success Engineer at Tasktop. He worked as a Software Engineer building Tasktop's connectors for 3 years before transitioning into his current role in Customer Success. David helps customers realize their integration needs through deployments, technical services, and technical support.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Web 2.0 Latest News
The help desk forms the backbone of IT operations for many federal, state and local government agencies. In fact, the cross-functional nature of its operation means the help desk directly impacts productivity and is an essential part of what enables an agency to meet its stakeholder ne...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as...
Commerce has become both digital and global: Online sales are expected to exceed $1.6 trillion dollars by 2020. As a customer preferred way of doing business, ecommerce offers increased selection, value, and convenience. Online shopping also offers merchants increased access to custome...
These days attacks are becoming more sophisticated and more common. Mobile devices, cloud computing and the Internet of Things have increased the number of access points that must be secured. To complicate matters, CISOs are been directed to secure system without compromising the seaml...
There's an impulse to roll one's eyes and think of legacy applications as problematic, almost by definition. They're old, and they may run on hardware that's slower or more difficult to maintain. But in many instances, that's too simplistic an assessment. Would you respond the same way...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021




SYS-CON Featured Whitepapers
ADS BY GOOGLE