Software Integrity Blog

Author Archive

Apoorva Phadke

aphadke

Apoorva Phadke is a senior security consultant at Synopsys. She works with customers to adopt secure development processes and practices. Apoorva comes from a development background and advocates that security and development go hand in hand. A feminist, Apoorva strongly believes more women should enter STEM-related fields, and organizations should do more to retain them in those fields. In her down time, she’s most likely out hiking or engrossed in a murder mystery novel.


Posts by Apoorva Phadke:

 

Streamlining development with a DevSecOps life cycle

When I worked as a developer many years ago, we followed the waterfall software development life cycle (SDLC). My focus was always on satisfying functional or business requirements and implementing newer technical capabilities. Deployment happened once every 1 or 2 months. Huge monolithic applications were deployed over a weekend, with almost half the company on support standby, everyone praying the release went smoothly. The security teams got involved from a production monitoring perspective. They would conduct sporadic penetration tests on applications already deployed to production. The software security group (SSG), or the security team, was solely responsible for the security of our applications. Streamlining development through DevOps With the adoption of newer and faster development life cycles, the scenario has changed. Monolithic software has been broken down into micro services and containers, and clouds are replacing traditional environments. Automation has been instrumental in increasing the velocity of deployment, along with streamlining the entire process. The development and the operations roles have been merged into a DevOps capability. Boundaries between various development and operational teams have been vanishing to make DevOps a success. Anyone who has migrated from a waterfall SDLC to a modified agile or DevOps SDLC will also tell you that it requires a huge shift in mind-set. Without a massive cultural change, it is difficult for DevOps to thrive. Where does security fit into DevOps? However, what’s been missing from this new collaborative effort is security. Even though the DevOps mind-set ensures stable, faster throughput, the applications themselves may not be secure. DevOps practitioners argue that traditional security slows them down. But the risk is that security teams go missing from modified agile or DevOps cycles if they don’t hop on board this fast-moving train. And this is where the DevSecOps mind-set comes into the picture. Embracing DevSecOps Security is no longer solely the SSG’s responsibility. It is everyone’s responsibility. Building security in starting from product conception decreases remediation time while making the product safer, lowering costs in the long run. Instead of measuring how long it takes for the pipeline to build, quality-test, and deploy software, DevOps organizations must start measuring the baseline with security activities included in the overall pipeline. Building your DevSecOps pipeline: 5 essential activities Application security is a subset of application quality: Quality metrics must include application security metrics, and quality tests must include security tests. The DevSecOps mind-set makes this easier to enforce. Once developers and operations start owning the security of their software, friction between all these teams decreases.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on Streamlining development with a DevSecOps life cycle

 

SAST vs. DAST: What’s the best method for application security testing?

High-profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on SAST vs. DAST: What’s the best method for application security testing?

 

Static analysis tools: Are they the best for finding bugs?

Before we can dig deeper into the topic of static analysis, we must first understand how it works. Once a foundation has been established, we’ll then analyze a variety of scenarios to determine when static analysis tools are the best method to find security bugs. What is static analysis? Static analysis refers to the examination of a piece of software without executing it. In the world of security, it refers to discovering security related bugs in software without actually running the software. Static code analysis is a white box method of testing, meaning that the tester has access to the underlying framework, design, and structure of the software. The process typically includes examining the code structure, studying the various data and control flows, and referring to the configuration settings to discover various types of security bugs. Static analysis tools vs. manual review Static code analysis can be automated or conducted manually. An automated review uses static analysis tools to discover bugs. It is faster than a manual review and generally provides better code coverage. Static analysis tools are effective at finding common security bugs. A manual review, on the other hand, is better at discovering complex bugs such as those related to authentication. The manual approach can also be very effective at analyzing business logic for security bugs. Manual reviews take more time but they’re more thorough and the bugs discovered have a very high confidence rate. Considerations for static analysis tools Static analysis tools provide developers with accurate and timely code feedback and are often integrated near the end of the software development life cycle (SDLC). Tools can provide excellent insight into the quality of the developed code.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Static analysis tools: Are they the best for finding bugs?