Within a software security initiative (SSI), security testing of applications should be a top priority so that applications can be resilient to attacks. Secure applications provide more solidified protection of sensitive data and private information in case the environment fails to protect the application of data. Thus, application security testing is one of the most important domains of software security.
An effective SSI requires application security. But that’s not the only element that matters; it’s just the beginning. A truly thorough SSI requires a broader, more holistic and strategic approach that an organization needs to take to protect their assets and reputation. Small changes made to the process and the implementation of safeguards can improve security every step of the way. While not every activity is right for every organization in every industry, if a business is not starting to put security measures in place, it is subjecting itself to risks from the unknown.
To improve software security posture, a business needs to perform certain activities that may involve upgrading the current software development process with practices that infuse security and privacy policies.
Applications refer to:
Application security testing validates if it is resilient against any abuse, fails safe and proves secure. It also checks privacy related issues. This can be broadly classified as security functionality testing and security testing:
Today’s applications do not work in silo categorization and are accessible globally via the internet. Businesses build applications to run on hosts and networks; they are dependent on third-party vendors regarding the application environment set-up. They don’t create another operating system, server hardware or network appliances to run the applications. At the most, businesses can harden those systems.
The same dependency applies to third-party software acquired by a company. If these systems are vulnerable, applications developed are vulnerable too. But a secure development process of applications is under the control of an organization and that’s where they can start measuring and making necessary changes. Bugs in the application and flaws in the design of the application make the whole application insecure. It can only be detected by application security testing.
Activities towards continuous improvement of application security include:
It is important to analyze an organization’s position in terms of security when considering measures to improve security posture. A thorough analysis involving secure code review, architecture risk analysis, and penetration testing can provide necessary information. Based on these findings, areas of improvement can be identified and activities to be performed can be formulated. This creates the foundation for a security roadmap and a SSI starting-point for the business.
Other important activities may include:
Improvement in any process requires an understanding and analysis of where that process is today, and based on that information, one can formulate next steps to be taken. That is the role played by application testing in an organization’s security journey; it analyzes threats and risks of applications. This is the foundation needed to prioritize other activities in preparation for remediation to be performed. A highly matured organization may require different activities than an organization that has just started its security journey.
Software security involves the holistic approach an organization can take to improve security posture, safeguarding assets and privacy of non-public information. The activities discussed today were inspired by the Building Security In Maturity Model (BSIMM). These highlighted activities are commonly observed and performed by real companies.
Monika Chakraborty is a security consultant at Synopsys. Monika has 20+ years of experience in a variety of roles including developer, team lead and project manager. She currently works with customers in multiple industries on vulnerability assessments, secure code reviews and strategic planning in secure development. She has been CSSLP certified since 2013 and has been an eCPPT (eLearnSecurity Certified Professional Penetration tester) since 2012. Monika focuses on software security initiatives that help businesses to improve secure development processes.