Nearly every organization tackling software security today is working on automating code review. However, the challenge most firms are running into now is how to scale this process with industrial-strength static analysis code review tools like HP Fortify, IBM AppScan, and Coverity. The latest SearchSecurity article from Gary McGraw, Synopsys, and Jim Routh, CISO, Global Information Security function leader at Aetna, shares first-hand experience and insight into how to scale code review. Over the past several years, Jim Routh has led five separate software security initiatives at five different companies, including American Express, JP Morgan Chase, and now Aetna. With each subsequent software security deployment, he has learned more about what practices are effective—and which approaches to avoid. This experience has informed Jim’s views on integrating code review tools into the software development process. Back at American Express, Jim envisioned (and still does today) software developers using a code review tool that didn’t involve someone from the security team analyzing (and prioritizing) the findings. However, as industrial-strength code review tools have evolved and matured, they have moved farther away from the developer’s desktop. The centralized code review on big build servers hurts productivity, especially in agile development environments. So how can you scale code review? Part of the answer lies in giving developers tools to run vulnerability scans while they code. The other part? Read “Software [in]security and scaling automated code review” to learn how Jim has approached secure code review across his software security initiatives and how he plans to reduce his application portfolio risk without the cost of industrial-strength code review tools.
All businesses depend on software; some software is developed internally while the rest comes from third-party software service providers and commercial off-the-shelf software (COTS) vendors. While organizations can hope the software from third parties is built securely, hope isn’t a viable security strategy—which means firms need to develop an effective 3rd party security strategy to reduce the risk of exposure of customer and company information.
Or: The ugly baby phenomenon and why you should not focus on false positives