For Software Quality Assurance Engineers
Quality Assurance (SQA) is a tough job, and now with more frequent, costly, and extremely embarrassing cyber-attacks, your job has gotten even tougher! SQA engineers traditionally monitor software development projects to ensure design quality and adherence to company coding standards, but in today’s time-compressed world of rapid releases and dev ops, the traditional SQA process is changing and broadening in scope.
SQA professionals are now in a position to also test software for security. While we know that software quality is correlated with its security, testing specifically for security requires special tools and procedures. Even if a software application passes functional tests, the software may still be vulnerable to cyber-attack. Moreover, your company and customers may demand that your software comply with industry standards, to help garner approval from external software auditors.
Given how today’s SQA professionals are facing more abbreviated development schedules (management wants it out the door, now!), how do you make the time to properly test and approve software applications, including their security? You need to be equipped with the right tools that help streamline this process, and you need know how to use them to prioritize vulnerabilities that must be fixed first based on industry standards.
If you’re just getting started in security testing, check out our Resources page, where you will find examples of the types of exploits that attackers use on code, and a Knowledge Center that explains different types of “AppSec” testing. Then try out some tools.
The Code Dx application vulnerability correlation and management system has several open source tools already embedded in it, so you don’t have to configure and run them on your own. We do that for you. And Code Dx Enterprise is a great tool to streamline, automate, and manage a comprehensive application security testing program. That program starts with static analysis of the source code, and progresses to dynamic analysis of the running application.
Security Testing Starts with Static Analysis Early in the Software Development Life Cycle
The first step in security testing is to use Static Application Security Testing (SAST) tools to analyze the source code for security vulnerabilities. Based on the programming languages used to develop the code, Code Dx automatically determines the SAST tools needed to evaluate the code. Bundled with both Stat! and Code Dx Enterprise are a selection of free and open source tools such as FindBugs, PMD, Android Lint, Pylint, and FxCop that are automatically configured and executed to evaluate the code. To supplement this, the vulnerability results from separately-purchased commercial SAST tools such as AppScan, Fortify, Checkmarx, Parasoft and WhiteHat can be imported into Code Dx and combined with the open-source tool results. Additional tools bundled within Code Dx, such as OWASP Dependency-Check and Retire.js, check the vulnerability status of the third-party software libraries within your code base to ensure you are using the most secure versions.
It’s critical to use several different application security testing tools to get a complete picture of an application’s security status, because the unfortunate truth in today’s burgeoning AppSec industry is that the average SAST tool only finds14% of the vulnerabilities in an application’s code. That’s why Code Dx supports many security testing tools across many languages.
Black Box Testing
Once you’ve completed SAST testing, the next step is to perform “black box” Dynamic Application Security Testing (DAST), which evaluates the application while it is running to identify software functions that are vulnerable due to design flaws. The open-source and commercial DAST tools supported by Code Dx Enterprise include Arachni, Burp Suite, WebInspect, Netsparker, OWASP ZAP and several others. Once again, it is advisable to use more than one of these tools, as no single tool has the ability to find all application security flaws.
Bringing your security testing solution all together
The true power of Code Dx Enterprise is realized when it combines all SAST, DAST and manual testing results into a centralized console that presents all of the vulnerability findings in a single, concise, consolidated, de-duplicated and prioritized list. The results of SAST and DAST security testing can easily be provided to the development team, and other colleagues, in an actionable form. Code Dx Enterprise has real-time collaboration mechanisms that enable you and your colleagues to quickly remediate software vulnerabilities. If applications need to be compliant with specific standards such as the OWASP Top 10, SANS Top 25, CERT Secure Coding Standards, PCI DSS, CLASP, 7PK, HIPAA and others, Code Dx Enterprise can easily identify the vulnerabilities that make your software non-compliant. Assessment reports in PDF, CSV and XML formats are a snap to generate, and will keep management, QA and developer teams in the loop. A host of additional features streamline the application security testing process even further.
Code Dx also seamlessly integrates into the Software Development Lifecycle (SDLC), supporting Integrated Development Environments (IDEs) such as Eclipse and Visual Studio, the Jenkins continuous integration system, Git version control system, and the JIRA issue tracker. This makes it effortless to slip Code Dx into your development and testing workflows.