With research firm Gartner reporting that nearly 80 percent of security breaches still occur at the application layer, enterprises in all industries must adopt a “Security First” posture during application development. This month, we’ll offer some specific recommendations to help in that regard.
One significant way organizations can prevent their applications and data from the damages that accompany a breach is by prioritizing security during the software release cycles. The first step towards more secure application development lies in testing code for security vulnerabilities while it is still under development.
Finding security vulnerabilities during coding allows development teams to mitigate their application security risk at the source – before issues become expensive, time-consuming, and troublesome to resolve post-release. However, having developers manually check code for security vulnerabilities is complicated, time-consuming, and error prone. And, since developers are coders, and not usually security experts, they may not be aware of the best security solutions to implement.
A better approach is to align security with manual testing, which is facilitated by the use of purpose-built tools such as those that perform static code analysis (SCA). SCA is a debugging method that falls under the category of Static Application Security Testing (SAST), also known as “white box testing.”
SCA allows teams to find security vulnerabilities in the application source code earlier in the software development life cycle. In doing so, it eliminates the need manual security testing, letting software testers focus on functionality. Once security flaws are detected, they can be returned to the development team for correction before release.
One example of such a tool is Micro Focus Fortify. Fortify is an entire family of solutions that facilitates secure development. For SCA, specifically, Micro Focus offers two solutions: Fortify on Premise (hosted on a client server) and Fortify on Demand (hosted in the cloud).
Fortify SCA offers the added benefit of ensuring conformance to coding guidelines and standards without executing the underlying code. SCA and other Micro Focus Fortify products support a variety of languages and CI/CD tools and provide integrated SAST for developers, helping them maximize their efforts while building more secure software.
With proven, feature-rich SCA tools like Fortify, developers can proactively find security defects in real time and receive detailed analyses that lead to faster fixes. SCA tools also enable greater team collaboration, facilitate correlation of results, and make audits and secure coding practices much easier to implement.
As an application security specialist, Saltworks partners with enterprises to design, integrate, manage, and/or measure SCA programs in established development environments. Working with Saltworks, enterprises gain an automated way to aggregate, analyze, and report on scan results at scale — even when using varied technologies. SaltMiner, Saltworks’ dashboarding interface, seamlessly integrates and correlates results for Fortify and other tools, presenting SCA scan results with other security metrics such as open source analysis, dynamic scans, penetration testing, and more. For more information, visit https://www.saltworks.io/
