From the course: Static Application Security Testing

Security in the SDLC

- [Instructor] In order to determine where and how to integrate your AppSec Testing activities, you need to think in terms of the software development lifecycle, or SDLC. The SDLC is a big picture concept that you break down into three discrete activities. Conceptualize your application, what do you want it to do? Develop the application, write the actual code, and release the application to the intended user population. So let's consider the SDLC from a developer's point of view for a second. Where exactly does security fit in? In order to answer that question the best advice I can give you is something I picked up in Stephen Covey's book, "The 7 Habits of Highly Effective People", Seek first to understand, then to be understood. Developers have a lot of competing priorities. Imagine someone approaches you and says, "Hey, I need you to build me this thing. I'm not exactly sure what it should look like, but I'll know it when I see it. Here's a list of loosely defined features. You don't have a lot of time or money to get this done, and I needed this done two weeks ago. Can you have it to me by Friday?" Now, imagine that person walks away and someone else immediately steps in and says, "Oh, yeah. Can you make sure that thing that you build is secure?" Stressful, right? You can help your developers understand how to integrate security testing into an already overwhelming development process if you break that security down into manageable chunks. Think of that big nebulous thing that we call security as four distinct security touchpoints within the SDLC. Review the related documentation for security language including contracts with third parties who are writing apps on your behalf. Review the source code for security vulnerabilities. Review the QA process to ensure that it includes security tests, and review the deployed applications for exploitable weaknesses. Static testing focuses on the first two touchpoints in this list while bleeding a little bit into the third. It's best to start with static testing for a few reasons. First, it's much less expensive to address security issues before you deploy an application to production. Second, security built-in at the beginning is often more effective than security bolted-on after the fact. And third, static testing doesn't come with the risk of breaking a production application. These are all low-impact, high-value activities. The key to building effective static test is balance. Take time to understand the development process from the developer's point of view. Analyze the market conditions that might impact your testing. Things like accelerating schedules to release a competing application, or outsource development and hosting to keep internal costs down. Take a look at the skills of both the developers and the security testers. Figure out everyone's strengths and weaknesses. Don't make assumptions about what your teams can do. Be mindful of all these things when designing your tests. Find the right balance among them and your testing efforts are much more likely to yield positive results. This approach will enable you to integrate security testing more effectively into the SDLC, reducing both the likelihood and the impact of potential security issues later on.

Contents