One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103305 |
| Date de publication | 2020-10-29 13:04:48 (vue: 2020-12-15 21:05:43) |
| Titre | A Software Security Checklist Based on the Most Effective AppSec Programs |
| Texte |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
| Envoyé | Oui |
| Condensat | 400 about according actively addressing again aggregation agreed all also analyst answered application applications appsec are areas assessment automated automation award aware back based because been being best between black but buying can champion champions checking checklist checklist: chris ci/cd ciso cluley code college communicating completing completion consider consuming continuous continuously controls costly could courses data date dave decisions deployment deployments develop developer developers development devops discover discussion documentation documented doesn don download during dynamic each easier easy effective efficient efforts elements eng engage ensure enterprise esg every everyone expected expensive explored extent facilitate findings fix flaws follow following formal formally frequency from fully getting graham great group gruber guide half hands happen hat have help helps here high higher highly host human ide identified implement implementing importance important improve improvement improvements improving included includes including increasingly individual individuals information informed integrated integrating integration intentions interest introduce introduced introduction investment issue issues join joined just keep labs laid larger later latest lead leaders learn learning least led leisure less lifecycle like likely list make makes making management managers manner mature may measure measures methods metrics mistake modern more most much multiple nearly need needs new not number offer once one ongoing only opportunities order organization organizations out own page part participate participating peers per percent percentage performing person phase pinpoint place podcast pointed points practices presentation presenters printer process processes production professionals program programs prove provide provides pushed ready real receive reference regarding regularly rely remediate remediating remediation report reported require research responded respondents responsible return reviews rework right risk risks roi roles roll run same scan scrum sdlc secure security senior seriously set should show skills slower smashing software someone sooner speed speeds stakeholders steps strategy successful such supporting sure survey take taking target tasked team teams teams/individuals tests than those through throughout time times tool toolchain tools touchpoints traced track tracked tracking training trigger understand unveil usa use used using veracode virtual vulnerabilities vulnerability vulnerable way well went what when where which who winning without write writer writing wysopal year your |
| Tags | Tool Vulnerability Guideline |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.