security testing activities in the development lifecycle
TRANSCRIPT
Security Activities in the LifecycleShawn Gorrell,
Lead Architect , FRB Atlanta
Outline
Code Reviews
Strengths/Weaknesses of Code Reviews
Penetration Testing
Strengths/Weaknesses of Penetration Testing
Static Code Analysis
Strengths/Weaknesses of SCA
Fortify SCA Walkthrough
Scan/Triage process
Q&A
Code Reviews Source code inspections based on defined security/quality/standards
checklists
Can be formal or informal
Strengths of Code Reviews
Standards enforcement mechanism (verify controls)
Learning/training opportunity
Easier to find all the content (dynamic tools can miss things)
Weaknesses of Code Reviews
Time/resource intensive
Requires specialized expertise (application, language/platform, security)
Human fallibility
Does not always “prove” the vulnerability
Penetration Testing
Simulated attack on application or network
Pentests are typically “black box” (no access to code)
Combination of dynamic tools and human testing (tools help find soft spots)
Strengths of Penetration Testing
Combination of tools and humans find things that a single method won’t find
Requires less specialized expertise
Proves vulnerabilities
Weaknesses of Penetration Testing
Time/resource intensive
Pentest teams tend to be busy, so you need to plan things well in advance
Different combinations of tools and people can get different results on same application
Static Code Analysis (SCA)
Automated white-box testing tool that analyzes source/object code without execution
Though code does not execute, it SCA does data flow analysis (source/sink)
Identifies code errors, complexity metrics and security issues
Can be integrated into build/deploy processes (continuous integration)
Strengths of Static Code Analysis
Scales better than humans do, can cover more code in less time
Tends to find some of the worst vulnerabilities with high confidence (SQL Injection, buffer overflows, file upload vulnerabilities)
Finds issue in code at the exact location (line number)
Tools include mitigation recommendations and are easy to rescan to verify fix
Finds vulnerabilities earlier in the lifecycle
Weaknesses of Static Code Analysis
Requires well trained security analyst to do good triage, can’t just run it and throw a report over the wall
Not all languages are supported (though the most common are)
False positives and negatives
False sense of security (cannot be the only thing you do)
Doesn’t find issues in a runtime environment (configuration issues, code/assets that aren’t scanned)
Tools are often costly (Fortify is)
Fortify SCA Walkthrough
Audit Workbench
Command line scanning
Triage
Fortify 360
Reports
Scan/Triage Process
Dev team requests scan and provides code location
Security analyst does scan and initial triage
Security analyst meets with dev team to finalize triage and create remediation plan
Dev team remediates issues
Security analyst verifies remediation
Wash-rinse-repeat
Q&A Questions?