Blog

Tag: security vulnerabilities

Should Developers Have a Spellchecker for Security?

Sparrow helps stop security vulnerabilities while you codeA recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”

Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months.  The reality is that developers are still writing software with security vulnerabilities.  As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems.  If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?

Ron Arden, Executive Vice President at Fasoo, was quoted in the article saying, “Today’s integrated development environments can already catch common syntax errors, like missing semicolons.  If there’s a function you’re using, it shows the parameters, but it won’t tell you if there’s a SQL injection or cross-site scripting error.”

So back to the original question of using a tool like a spellchecker that would identify and help eliminate these problems.  This would help developers fix vulnerabilities immediately and also learn to write more secure code in the process.

Traditionally companies test software for vulnerabilities after it has been written during a QA process, but that can be too late, since it introduces too many problems and delays in the development cycle.  A better approach is to use application security testing during the code development process to detect security vulnerabilities using an analysis engine based on semantic and syntactic methods.  This not only improves the code, but also helps meet a strict set of compliance requirements that follows CWE, OWASP, CERT and other international standards.

Cyber attacks typically target network weaknesses causing organizations to protect themselves with firewalls, intrusion prevention systems, and similar tools. These attacks target weaknesses in the software that companies develop and use. It is difficult to stop malware related attacks after software has been developed. It is better to eliminate these attacks before the software is developed by detecting all security vulnerabilities in the source code.

Another issue is the cost to fix vulnerabilities after you release software.  Studies show it can cost less that $1000 to fix a bug during the coding process, but over $14,000 to fix it after it is released.  This doesn’t take into account remediation needed by a customer to address any problems caused by the bugs in the first place.

Checking security vulnerabilities during development is the optimal approach and will help minimize potential problems before deployment.  This will dramatically reduce the security attack surface in a production system and help us all sleep better at night.

Read More

Don’t Get Caught With Your Pants Down – Static Application Security Testing Must be part of Security Risk Management

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Surveys like the recent Ponemon Institute 2016 Application Security Risk Management Study indicate that basic security steps are often neglected – 48% of respondents said their organizations don’t take basic security measures. How can applications be secure without appropriate security testing?

Application security testing ensures that potential application security vulnerabilities are remedied prior to the release and consumption by users. Static Application Security Testing (SAST) is one of the tools that must be part of every application development company’s security risk management process.

Often, companies think of SAST with high volume of vulnerability findings making remediation ineffective and time consuming. Learn about Fasoo’s SPARROW capabilities.

  • SPARROW enables developers and quality/security managers to remediate flaws reported through code suggestions.
  • SPARROW’s Intelligent Alarm Clustering groups related vulnerabilities in source code with a unique ID enabling faster remediation.

Organizations must utilize SAST in the scope of their application security preparedness to reduce risks that are introduced by application infrastructures. SAST must be part of security risk management practices in every company developing applications.

Read More
Categories

Find out what Fasoo can do for you

Contact Us
Contact  Us
Contact Us
Book a meeting