In today’s fast paced development world where code is being delivered to enhance business capability the job of application security developers has become even more difficult. It is beholden on us as security professionals to give them the tools they need to not only deliver software quickly but also that this software is robust from a security perspective without disrupting the development flow.
There are a plethora of application security analysis solutions available and it can be very difficult to understand the differences between them, each vendor has their own elevator pitch and those pitches are highly compelling. You must understand which solution is appropriate for your own organisation and the way to do that is to break each solution down into its fundamental approaches and perceived benefits.
We have to weigh up both the capital costs and the operating costs which the security department will eventually have to pass on to the business. You also have to consider the suitability of each approach to your own organisations – in our case will it fit with Agile, does it integrate with our existing Continuous Integration Development processes.
Most importantly we have to consider usability from both an organisational perspective and from an individual user perspective. Using a tool that sits on a developers shoulder correcting mistakes can be quite invasive so it must be accurate, clear and simple to use, however it must also suit the development model and risk appetite of the organisation .
We must also consider very carefully a number of factors including false positives and false negatives, too much noise like this will result in such technology being switched off and ignored. Each flavour of solution that we will discuss in this talk will have different profiles in terms of usability, noise, costs and suitability for environment types.
Ultimately we will discuss how we selected the right technology for our environment.
When you leave this session you will…
1. Understand the different types of code validation strategy
2. Understand how to justify code validation technology with ROI
3. See which environments each approach is suitable for
4. Understand how to define a selection process
5. See the outcome of a stringent selection process
I am looking forward to the event to once again meet up with the many friends and ex-colleagues I have made over the past 16 years of coming to the event and to see what innovations in technology are coming out of the independent security companies.
Not registered for Infosecurity Europe 2015 yet?