This might sound like quite a simple question with a very straight forward answer, but this is in fact a very complex question with an even more complex answer.
There has been such rapid advancement in the technology arena, especially when it comes to the Internet, that legacy web based applications could be at the risk of hackers, without the knowledge of the technology support teams. It is also a fact that security design aspects are sometimes overlooked during the technical specification phases of big software projects. Product owners assume in most cases that the technical teams will focus on the non-functional requirements (e.g. security model) while they code the solution. This however rarely happens, if it is not clearly specified in the Technical Specification documentation.
It is very important for any software development department who are developing web based software to ensure firstly that the developers are knowledgeable in WRT software web vulnerabilities and secondly that the necessary tools are available to audit code produced by the software development teams on a continuous basis. It is very difficult for a human to test and look for vulnerabilities on all code paths, which necessitates the need for automated tools.
There are many software vendors on the web, marketing software audit tools. It is however critical to ensure that the tool and software vendor selected, has got a track record and adheres to certain industry standards. The audit software has to at least be aware of the following industry standards.
- Payment Card Industry Data Security Standard (PCI DSS): This standard is owned by VISA and all companies operating in the card processing industry has to comply with this standard.
- HIPAA (Health Insurance Portability and Accountability Act): Standard for companies operating in health care industry.
- MISRA C: Standard for the C language for companies developing software in the Motor industry.
- Open Web Application Security Project (OWASP): It is a Non-profit organization which focuses mainly on the improvement of software security.
The software should also be able to audit the code of various software languages. It should at a minimum be able to handle the following languages:
- C#.net up to framework 4.5
- Java
- PHPs
- C
- C++
- VB.net up to framework 4.5
- Visual Basic 6.0
- JavaScript
- Flash
- ASP
- Perl
The critical fact to admit, for any business owner with an in-house development team, is that developers can and will introduce undetected software flaws into applications that can put the organization at risk. It is therefore of the utmost importance to have the necessary software to assist the development teams and protect the business.
One respected software vendor, Checkmarx.com (described by the Gartner group as Visionary), adheres to all of the above requirements. This company provides static code analysis tools to firstly locate technical and logical flaws and then manage the necessary rectifying action. This is all accomplished from screening the software produced by developers on a continuous basis as part of software development life cycle (SDLC). The software integrates flawlessly into the integrated development environments of the various supported languages, providing the necessary feedback and information to developers, auditors etc.
Tags: #Security #Web