This series looks at Web application threats, secure software development practices and the challenge of finding and fixing Web application vulnerabilities. Stories in this series examine why attackers target Web application flaws and the emerging technologies that are slowly improving Web application security in the enterprise. Finally, a piece looks at the challenges posed by mobile application development and the bring your own device (BYOD) trend.
In this part:
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. Experts say emerging technologies produce a complex set of challenges for enterprises grappling with the daunting task of preventing dangerous vulnerabilities. Unfortunately, experts say, speed, functionality and overall experience typically gain a priority over the security Web applications.
Using the cloud can streamline secure software development but experts say it comes with challenges and risks. Development tools such as static code analysis tools are now being offered as a Web-based service, relieving the security team from some of the burden associated with software testing. Companies using the cloud-based code scanning services need to understand how the data is being protected and the processes and technical controls in place to defend against cyberattacks.
Security fails to gain a priority in rush to build and test mobile applications, according to a study by Paris-based IT consultancy, Capgemini. Software security teams are trying to catch up to the Bring Your Own Device trend and the sharp increase in smartphone use in the enterprise. Organizations creating enterprise mobile applications are focusing on speed and performance rather than security because they are hindered by a lack of tools and testers who understand the myriad of mobile environments.
Static analysis tools are gaining popularity with Indian companies as software development models and perspectives mature. Static analysis helps determine defects and vulnerabilities within the software code but without executing that code. Best practices dictate that both static and dynamic code analysis be conducted to truly understand the weaknesses in the software. Here are some popular choices.
Video: Gary McGraw on secure software development
Getting a handle of your software security processes is not easy, but noted software security expert Gary McGraw says forward learning organizations share some similarities. McGraw oversees the Building Security In Maturity Model (BSIMM), which examines the software security initiatives at 51 enterprises. Version 4 of the BSIMM was released in September.
Video: Software Reliability: Building Security In
In this video, learn state-of-the-art techniques for building a secure software development process.