As app development becomes more complex and incorporates more features than ever, it is critical to make sure security testing is embedded in your security development life cycle. The appetite for faster release cycles has never been greater, but even if your organisation is rushing to production, code needs to be secure before it is deployed.
Security breaches are on the rise – the 2018 Cyber Security Breaches Survey found that 43% of UK businesses had experienced a cyberattack or breach in the past year – so robust vulnerability testing throughout the development lifecycle is a necessity that is almost certain to provide a big return-on-investment.
SDLC is a standardized set of best practice guidelines for software or app development, which aims to alleviate security issues as early as possible. Integrating vulnerability screening into your software development life cycle is much more effective and less costly than multiple cycles of patching and retesting at the end of development.
Concentrating on fixing vulnerabilities throughout the development lifecycle means that developers spend less time fixing code that they have written in the past, and it makes it easier to mitigate problems as quickly and cheaply as possible. Going back to fix security glitches after software is deployed can be a time consuming and costly process.
Requirements and Design – Keeping the requirements and design phase secure involves searching for problems within the chosen architecture of an app, usually using threat modelling. A solid threat model will consider how a system could be attacked, and then try to mitigate those potential threats in the design before coding even starts. The design phase tends to bridge the ‘what’, and ‘how’ in software creation and this combined with the fact that many security flaws stem from faulty design make it imperative that this phase is carried out with security in mind. Part of mitigating potential threats is selecting the best security tools for the latter stages of development, including robust vulnerability detection aids such as AppCheck.
Development – To write secure code, developers need to be aware of, and apply, security best practices and implementation tools. A good SDLC defines a secure coding guide which sets out expectations and provides guidance for specific issues, as well as implementing tools to spot and mitigate vulnerabilities. A sophisticated scanning engine, like AppCheck, can perform a thorough assessment of all known web app vulnerability classes such as those defined within the OWASP top ten.
Testing – The test phase is the most rigorous in terms of detecting vulnerabilities and security flaws, but it will run more smoothly if the SDLC has been followed and continuous integration has been taking place. The test phase should include formal test plans, security testing and more vulnerability scanning. AppCheck has been developed by working closely with some of the UK’s leading penetration testers to ensure each scanning module has maximum detection accuracy and the minimum of false positives.
Release/response – Security does not end at deployment – new vulnerabilities are being released all the time and its imperative to be able to detect, respond and mitigate. Ongoing vulnerability scanning will help to stay on top of new bugs and security breaches, allowing your team to fix them in a timely manner before the damage they cause can escalate.
Our JSON API allows scans and vulnerabilities to be handled within a managed network from the very start of the development process. Developers can hook into AppCheck via http requests, and there is no limit on the number of user accounts available. The API is implemented as a JSON structure over http using simple urls to request data and POSTs for setting data.
AppCheck can integrate with Jenkins and TeamCity to control scans and integrations with build servers through our working API.
AppCheck’s JIRA integration simplifies the process of detecting vulnerabilities – any vulnerability discovered in AppCheck is sent into JIRA as an issue against the code, and vice versa, and issues closed in JIRA are simultaneously closed in AppCheck. There are also checks in place, which prevent AppCheck from rescanning resolved vulnerabilities, preventing duplicated work.
To keep production running smoothly, and throughout the test phase, AppCheck includes scheduled stop/start scanning and the tracking of vulnerabilities between scans. It also issues alerts upon discovery of any high impact vulnerabilities and emails notifications of scan findings.
In a climate where vulnerabilities reported increased by 120% last year, modern app companies cannot afford to let security slide. Integrating a dynamic, comprehensive vulnerability assessment and analysis tool such as AppCheck into a strong secure development lifecycle is the best way to take a serious stance on tackling bugs and hacks. Talk to us today to find out how we can help you mitigate vulnerabilities effectively and keep all your development robust and secure.