Secure Software Design and Development

Too many organizations make headlines now due to insecurities or bugs within their software. Many news articles point to data breaches caused by an application or software package vulnerability. Secure software design and development aims to reduce the threat landscape of these types of vulnerabilities.

Static vs. Dynamic Scanning

Catching software vulnerabilities before they can be exploited is the job of software scanners. Static application scanning happens before the code is compiled. A static application scan can identify insecure libraries being used, or insecure coding practices that may be missed by peer review. Catching these weaknesses early in the process ensures the codebase is secure prior to deployment.

Dynamic code scanners check code after compilation and deployment. Many bad actors will not have access to source code so they rely on vulnerabilities in the deployed code or application. Testing multiple attack vectors is a key feature of a dynamic scanning system. Dynamic scanning can provide a big picture view of your application and infrastructure and provide mapping to implemented security controls. The following is a dynamic scan of an application in production and the vulnerabilities identified.

DAST_Rick_Guetschow_assignment7-1.docx.pdf

Reflections

Looking back at what I learned in this course, I found it directly applied to my current position. While I had always been tangentially involved in code deployment and scanning, this course provided me with greater depth and understanding of the importance of being actively involved in scanning software both prior to and post compilation and deployment. Being a good steward of the applications that customers interface with is of paramount importance. Many of the breaches discussed today stem from existing vulnerabilities in code that have been exploited to access confidential information. As a seasoned security practitioner it is my responsibility to work with developers and engineers to minimize the risk to the organization and shrink the threat landscape for the organization.


References are provided in the Reference Link Library