Secure Software Design and Development

Quick Description of Secure Software Design and Development

The impact of this topic can be seen in the news regularly. Software companies release software that unknowingly has vulnerabilities in them, vulnerability is identified and starts being exploited, and then hundreds if not thousands of organizations need to path their installs of this software. The basis of this topic is to teach standardized ways of reviewing code and compiled applications to address vulnerabilities as quickly as possible. We created a paper that applied security testing to a vulnerable web application as part of this topic. The sections below will review static and dynamic testing and dive deeper into how dynamic testing was used in the final project of this topic.

Static vs Dynamic Testing in Software Security Analysis

When testing an application, you can test for vulnerabilities both pre- and post-compile. Pre-compile testing is known as static analysis. In this testing method, you're looking at the static code and identifying known vulnerabilities in the code or other artifacts it may utilize (libraries, for example). Ideally, finding vulnerabilities at this level has the most negligible impact on the deployment base of your code. Static analysis can help you identify issues when it affects 1-2 programmers or instances versus being deployed to your user base, which may involve hundreds or thousands of users.

On the other hand, dynamic analysis looks at an application after it has been compiled and deployed. This testing method is crucial as it looks at your application as it exists in production. Many threat actors will not have access to your source code (although recent attacks have proven otherwise) and will rely on your deployed application being vulnerable. Dynamic analysis will look at the multiple ways an application can be deployed and take into consideration various attack vectors that may be used.

Dynamic testing is an essential part of being a security practitioner within an organization. It allows you to look holistically at the deployment of the application in your environment and map that back to the security policies you've created. Understanding the various tools and techniques used in dynamic testing help build your qualifications as a security professional. Ethically, considering all variables in an environment, especially the software, is vital for the integrity of the security at any organization. The following section will break down the Dynamic Analysis Security Testing of the WebGoat (OWASP, 2021) program, which we wrote as our final paper for this topic.

Reflection

As I reflect on this topic, it's important for me to understand the impacts of these controls on my professional life. Applications are our gateway to accessing and manipulating data critical to an organization. As a previous network and security manager for an organization, doing dynamic testing was key to ensuring that new software coming into the environment met the policies we had in place. If any unpatchable vulnerabilities were found, it was essential for us to ensure we updated our security controls to address those as best as possible or omit the application altogether. Having the knowledge of software security testing toolsets allows me to be more effective in current and future roles. Also, catching vulnerabilities early is vital. Fixing a few lines of code before software build and run is a lot easier than deploying thousands of patches for production software. However, it's not always possible to catch coding vulnerabilities as code, hence the need for both types of testing.

The tools you see used in the document provided above are relatively popular for dynamic testing. Tenable has made a name for itself in vulnerability identification, tracking, and resolution by being a toolset that is easy to operate (tenable, n.d.). The Nessus scanner is one of Tenable's many products around vulnerability management. It's also crucial to understand the software development lifecycle and how tools from Tenable, Palo Alto Networks Prisma Cloud, or other lifecycle security tools can be implemented into the dev cycle. As mentioned above, catching vulnerabilities during the development cycle are critical first steps to secure software.

Finally, any security professional must ensure that software implementation into an environment is done securely. It's not only the right thing to do, but it can also be the deciding factor between the success and demise of a company. As cybersecurity leaders for an organization, it's essential for us to ensure that practices like software analysis confirm integrity in our work. The toolsets available for security professionals make it easier to ensure they are running a solid security practice.

References

Microsoft. (2017, August 17). Microsoft Threat Modeling Tool threats. Microsoft. https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

OWASP. (2021). OWASP WebGoat. OWASP. https://owasp.org/www-project-webgoat/

Rice, T., Brown-White, J., Skinner, T., Ozmore, N., Carlage, N., Poland, W., Heitzman, E., & Dhillon, D. (2018, March). Fundamental Practices for Securing Software Development. SAFECode. https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf

Synopsys. (2021). Static Application Security Testing. Synopsys. https://www.synopsys.com/glossary/what-is-sast.html

tenable. (n.d.). tenable. Tenable® - The Cyber Exposure Company. Retrieved March 13, 2022, from https://www.tenable.com/