As cybersecurity risks steadily increase, application security has become crucial. That means secure coding practices must be part of every developer’s skill set. Craig De Lucchi, Account Director at CA Southern Africa, explains how code is written and the steps taken to update and monitor it has a big impact on organisations and their applications.
“There are a number of steps that developers can take to help secure software containers, such as enforcing the use of trusted container image repositories, eliminating image clutter by continuously monitoring what’s inside the container, and using secrets management tools to protect sensitive data,” said De Lucchi, confirming that scanning software containers for vulnerabilities are also critical.
“Historically, it was standard practice for security teams to perform testing near the end of a project and then hand the results over to developers for remediation. But best practices direct that tackling a list of fixes just before the application is scheduled to go to production is no longer acceptable as it increases the risk of a breach. The tools and processes necessary for manual and automated testing during coding are what’s required.”
Additional Veracode software testing services include:
- Veracode Static Analysis IDE Scan is a solution that runs in the background of a developer’s IDE to provide immediate alerts and feedback about potential flaws as code is being written
- Veracode Dynamic Analysis is a web application scanner service that inventories all public-facing web applications and performs both lightweight, production-safe scans and deep scans to identify potential vulnerabilities
Veracode Static Analysis is an easy-to-use testing methodology that lets developers quickly scan web, mobile and desktop applications. With Veracode Static Analysis, developers can quickly identify and remediate vulnerabilities like cross-site scripting and SQL insertion without having to manage a tool.
Its patented technology scans binaries, eliminating the need for access to source code. Results are provided within four hours for 80% of scans and 90% of scans are completed within a day. With highly accurate results that are prioritised based on severity and include a step-by-step remediation plan, developers can fix flaws faster while avoiding wasting time on false positives.
CA Southern African and Veracode recommend the following best practice security guidelines, including:
- Data protections – they should be on your radar from the outset
- Up front, agree upon what defines ‘completion’ of a project
- Consider the OWASP Application Security Verification Standard as a guide to defining security requirements and generating test cases
- Get involved with the security team to ensure testing methods will fix defects
- Build proactive controls into stubs and drivers
- Integrate security testing in continuous integration to create fast, automated feedback loops
- Add a security champion to each development team – this is a developer with an interest in security who helps amplify the security message at the team level
Security champions don’t need to be security professionals; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues.
Click below to share this article
