Are Your Developers Writing Secure Code? Give Them The Right Tools
At the recent Black Hat conference in Las Vegas, keynote speaker Dan Kaminsky of security firm White Ops argued that for developers to create secure code, they need better tools. As noted by Network World, Kaminsky believes that it’s time to toss the notion of application safety stemming exclusively from the type of code used — ditching C for Python solves some problems, but isn’t a cure-all. If the end-user experience suffers as a result, companies will often pass on security to get their app out the door. Bottom line? Your developers want to write secure code; here are four tools to help them do it.
First up? Start with existing standards, for example the OWASP Top 10, the IEEE P1074 Workgroup-Standard for Developing Software Life Cycle processes, or NIST’s Special Publication 800-64. By understanding the ideal result, you can discover any disconnect between current development processes and this aim, and make needed corrections. Ideally, this kind of standard confirmation should take the form of ongoing training; application security is never a static discipline.
Next up in the effort to protect your applications and secure your code? Address the problem with access. During the development stage, unfettered access for devs and admins is a requirement. However, too many apps make it to market with “stock” access settings still intact — and go on to experience security issues when hackers take advantage of factory admin settings to gain entry. Identity and access management (IAM) tools, such as SailPoint, can help reduce the risk of granting total access to malicious actors.
Test, Test, Test
As noted above, writing secure code isn’t just about the language developers use: Every time code is written, applications are exposed to some risk in some areas and potential problems increase elsewhere. One way to address this issue is through cloud-based testing tools that let you test applications on the fly at any stage of development. Solutions such as Veracode let you evaluate web, mobile and even third-party apps on demand to discover where they meet industry standards and where they’re coming up short. The cloud-based nature of the tool, meanwhile, makes it possible to test anytime, anywhere, rather than limiting developers to test at specific milestones. The result? More flaws detected earlier, meaning quicker corrections and less time lost.
As noted by DZone, another great developer security tool is the virtual private cloud (VPC). By spinning up a VPC with the same security framework as existing networks, it’s possible to test your application in development without any risk to critical hardware. Better still? Developers get the ability to put their app through its paces in various compute environments, since VPCs are limited only by your imagination — spin up any testing situation to see what happens, then collapse the instance and try again. Going virtual gives you the ability to streamline app development without limiting security.
You want better application security; developers want to deliver projects on time and on budget. By tapping security standards and leveraging tools such as IAM, cloud-based testing and VPCs, you can increase InfoSec without hampering innovation.