The Secure SLDC – A Quick Reference Secure Coding

The-Secure-SLDC-A-Quick-Reference-Secure-Coding

Secure Coding

  • Static Application Security Testing (SAST)

o SAST, also referred to as Static Code Analysis, does not require a compiled application to run – so it can, and should, be run early in the SDLC. The test reveals vulnerabilities in the code, specifically those in the OWASP Top 10 like SQL injection.

  • Software Composition Analysis (SCA)

o A software composition analysis scans software, as well as its dependencies, and displays a list of known vulnerabilities as well as licenses and noting any deprecated dependencies.

  • Secure Code Review

o “A secure code review is a specialized task involving manual and/or automated review of an application’s source code in an attempt to identify security-related weaknesses (flaws) in the
code. It does not attempt to identify every issue in the code, but instead looks to provide insight into what types of security-related problems exist and help the application developer understand what classes of issues are present.” (Mitre).

Continuous Build, Integration, and Testing

  • Container and Image Scan

o Checks the build process of your containers and images for vulnerabilities. This should be done to establish trust with the base image or container, as well as any composites.

  • Dynamic Application Security Testing (DAST)

o DAST is for compiled code / a running application without knowledge of the environment, simulating a hacker. Since the code is running for the test, this test is good for identifying issues with the runtime environment as well. Note that DASTs are only run on web applications and services.

  • Fuzzing

o Testing with unexpected inputs. This can be something like testing if a non-date is entered in a date field, or even (trying to) drop a binary file in a text field. The goal is to capture these cases and ensure that the application does not crash and gives a usable error message.

  • Interactive Application Security Testing (IAST)

o An IAST tests the running application for vulnerabilities during use, similar to a DAST. Unlike a DAST, an IAST can identify the line of code that is the source of a particular vulnerability.

The-Secure-SLDC-A-Quick-Reference-Secure-CodingDownload
Facebook
Twitter
LinkedIn
Pinterest
Constanza Rodriguez

Constanza Rodriguez

All Posts »

Leave a Reply

Your email address will not be published. Required fields are marked *

Top Recommended Posts

Combating Ransomware – A Comprehensive Framework for Action Key Recommendations from the Ransomare Task Force by IST
Combating Ransomware – A Comprehensive Framework for Action Key Recommendations from the Ransomare Task Force...
A Complete Guide to Implementing DevSecOps in AWS by aspire
A Complete Guide to Implementing DevSecOps in AWS by aspire
OWASP API Security Top 10 – The Ten Most Critical API Security Risks by creative commons
OWASP API Security Top 10 – The Ten Most Critical API Security Risks by creative...
ULTIMATE DEVSECOPS LIBRARY – Tools, Resources & methodologies by sottlmarek
ULTIMATE DEVSECOPS LIBRARY – Tools, Resources & methodologies by sottlmarek
GUIDE TO EFFECTIVE RISK MANAGEMENT 3.0 – ALEX SIDORENKO – ELENA DEMIDENKO
GUIDE TO EFFECTIVE RISK MANAGEMENT 3.0 – ALEX SIDORENKO – ELENA DEMIDENKO
Propuesta de Anteproyecto de Ley de Proteccion de Datos Personales – Ley 25326 – Agencia de Acceso a la Información Publica – Gobierno de Argentina
Propuesta de Anteproyecto de Ley de Proteccion de Datos Personales – Ley 25326 – Agencia...
DevOps Tools and Insfrastructure Under Attack by Wallarm
DevOps Tools and Insfrastructure Under Attack by Wallarm
2022 Falcon OverWatch Threat Hunting Report – NOWHERE TO HIDE by CROWDSTRIKE
2022 Falcon OverWatch Threat Hunting Report – NOWHERE TO HIDE by CROWDSTRIKE
The Endgame Guide to Threat Hunting by Paul Ewing & Devon Kerr
The Endgame Guide to Threat Hunting by Paul Ewing & Devon Kerr
THREAT HUNTING REPORT – Cybersecurity Insiders – DOMAINTOOLS 2021
THREAT HUNTING REPORT – Cybersecurity Insiders – DOMAINTOOLS 2021