Skip to main content

Putting developers into application security

Making security easy for developers, in their preferred tools, while still generating reports for the CISO is a challenge many organizations face today, when the reality is that late-stage security approaches can’t plug vulnerabilities deep within applications.

Yet putting the onus squarely on developers is a gamble, as many aren’t knowledgeable about certain kinds of vulnerabilities, or where they might lie, such as in an open-source component or in an API.

So organizations are meeting the challenge of application security by creating development ‘squads,’ made up of developers, testers, security personnel and the product team, to prevent vulnerabilities from making their way into an application.

To create the squad, Simon King, vice president of solutions for the Synopsys Integrity Group, strongly recommends hiring a couple of security experts who have already done that in the past, “because trying to figure it out from scratch will just take you too long and you’ll miss just very basic things.” After the experts are on board, he said to complement the team with people from the product teams who know much better where weaknesses may lie. 

Then, he recommends, set up e-learning to train back into the organization and eventually push  security personnel out into the product teams, from where security champions will emerge.   

Four levels of security
King explained there are four levels of security that many organizations go through: security as a cost center, as compliance, as technology, and ultimately as a business enabler. From the cost center perspective, he said, organizations are concerned with what tools to buy that “tick the box” for a particular security concern. Security as compliance refers to defining policies that a central team tries to enforce. As technology, organizations look to build these solutions into their pipeline to get the tools leveraged by developers. 

King said they then drive a cultural change that moves security teams from acting like police to actually embedding them with the development teams “so they think about things right up front, as ‘what could we do’ instead of ‘what do we have to do now that we’ve already written the code and tested it?’ ” Lastly, only a few of the most mature companies on the planet are at the point where they see security as a business enabler. That, he said, is a pretty fundamental shift “that then enables the kind of thinking that says now that the data is data super-secure, what could we do with it that we couldn’t contemplate doing before because we didn’t trust how who has access to the data, for example.”

In this kind of environment, developers  should take on as much testing as they can from the moment an object exists, King explained. From the time a developer reaches into a public repository to pull some JavaScript for an open-source project, he said, you want to ensure it’s the correct version, that there are no known vulnerabilities associated with it, and if licenses comply with corporate policies, because you don’t want to find that out late in the development life cycle. So static analysis and open-source analysis for software composition  should be done early on. Then, as the software goes through the pipeline, dynamic testing on APIs that connect applications and services into system architecture will have to be done later in the process, by the very nature of it. 

“And then maybe middle of the way down the path you’re going to start looking at the containers you’re running in,” King said. “What’s in that template, all of the different layers from the application down to the container itself, and then ultimately some vulnerabilities only manifest in pretty complex deployment architectures, and so you’re going to do pen test and things like that fairly late stage.”

What Synopsys offers
To help organizations, Synopsys brings together managed software services, professional services and tooling. The company does BSIMM-based interviews to see evolving industry security practices, and turns that around to offer benchmarking, assessment and mapping processes. “These are action plans to say, how do you get from where you are to where you want to be,” King explained. 

The professional services team supports implementation and adoption of the tools at scale. King was most excited about the tooling, which covers the spectrum from static security testing to open-source vulnerability analysis to pen testing — creating a holistic application security environment.

Synopsys has research labs working on the company’s multi-petabyte knowledge bases and the tests they write to check for vulnerabilities, while the professional services teams provide the company with deep insight into their customers because they work so closely with their customer-facing teams. King said, “We bring that expertise, that customer intimacy, that’s otherwise hard to attain.”

 

Content provided by SD Times and Synopsys

The post Putting developers into application security appeared first on SD Times.



from SD Times https://ift.tt/3hN6PAR

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20