How to Ensure Web Application Security during the delivery cycle (2)

Benefits of integrated synthesis testing for Web Applications

Software Testing integrated synthesis analysis methods can greatly improve efficiency. A specific plug-in integrating the development environment will issue a warning to the coding staff when a user's encoding error is found. Static analysis, also known as "white box" testing, is used by developers and auditors before assembling different modules into the final product.

Static analysis provides an internal inspection and analysis of applications at the code level. Static analysis is very effective for discovering syntactic errors and code-level defects, but it is not suitable for determining whether a defect will lead to usableVulnerabilities.

Dynamic Analysis and manual penetration testing are effective in verifying that applications are vulnerable to attacks. It is also called "black box testing". It mainly shows the inspection and analysis of applications by external personnel, and can perform in-depth inspection on the applications put into production, check whether the vulnerability is easy for attackers to exploit. However, dynamic testing technology can only be used in the later stage of software development and can only be used in the post-generation stage. Another limitation of dynamic testing is that it is difficult to find the source code that causes the vulnerability in the code.

This is why static testing and dynamic testing are combined to perform hybrid testing with a "gray box" or a combination of methods. By combining code-level internal check results with dynamic external check results, you can take full advantage of the advantages of the two technologies. Static and dynamic evaluation tools enable managers and developers to prioritize applications, modules, and vulnerabilities, and first handle problems with the greatest impact.

Another advantage of the combined analysis method is that the vulnerabilities identified by dynamic testing can be traced back to specific code lines or code blocks using static tools. This facilitates cooperative communication between the test and development teams, and makes it easier for security and test experts to provide specific and operable Error Correction guidance to developers.

Build security into the life cycle of software: A Practical Method

Building security requires people, processes, technologies, and methods. Although there are a large number of tools that can help automate the security of Web applications, if there is no proper process or well-trained personnel to create and test Web applications, then, no tool works.

This process should include a formal software development cycle and published strategies. In addition, it is important to create roles for all developers and assign inspection and supervision responsibilities. Security and business should be presented at every stage of the software development cycle, so that risk management can be handled at every step.

Throughout the entire software development cycle, education is a beneficial eternal topic. Education is very important for developers and is beneficial to all the people involved in Web application development. Because security awareness needs both top-down and bottom-up. Do not underestimate the importance of Educational Administrators recognizing how Web application vulnerabilities affect enterprises.

Telling a manager that a Web application is vulnerable to cross-site Request Forgery (CSRF) may make him feel confused, but if he shows him how a software error may result in leakage of customer data, it can help to make them aware of the tangible consequences of insecure Web applications. Specific cases and metrics should be prepared to clarify potential cost savings. For example, before developers check their code, they can demonstrate training for developers and static analysis plug-in investment in IDE to prevent the root cause of data leakage in software applications.

Auditors and evaluators can learn common coding errors, consequence evaluations, and "ecosystem" with Web applications (including backend support systems, existing security control, and Web applications) any service or application in the environment) benefit from related dependencies. Testers and quality evaluation experts should be familiar with misuse and know how misuse is different from standard applications. They should also know how to interpret the safety test results and prioritize the results as needed.

Focus on the specific steps in the software development cycle. There is an opportunity to increase efficiency while implementing security and risk management.

Web application design requirements

Web Application designers are very familiar with defining functions and business needs, but do not necessarily understand how to define security requirements. At this time, the entire team needs to work together to determine which security controls are critical to the final Web application.

Steps to integrate security into the demand phase

1. discuss and define security requirements according to company policies, compliance and rules.

2. The security and audit team should evaluate business needs and Web application functions, and develop misuse cases (misuse cases) during testing and acceptance ).

There are two advantages: one is to clear or reduce security or violations in advance, and the other is to reduce deployment time.