The best way to make web applications secure is to include security at every step along the development process, from requirements analysis, to design, to implementation and testing, and into maintenance and update phases. To that end, it’s wise to consider a kind of “Web Application Security Blueprint” as part and parcel of how you work through the application lifecycle.
Here’s a checklist of items to consider and best practices to follow when putting such a blueprint together.
Put the security focus on the web application with Web Application Security Blueprint
First and foremost, this means scanning for and eliminating vulnerabilities before applications get released. Kiuwan’s code scanning tools and technologies can not only provide guidance and remediation for the code you build in house, but also assess risks and vulnerabilities in the open source frameworks and code libraries you reference in that code.
Second, a constant focus on Web Application Security Blueprint means that security concerns play a role in establishing application architecture and design, and security reviews should be included as part of the feedback process in moving those choices and lifecycle steps forward. The same concerns apply when choosing open source or third-party components, libraries and frameworks. (Here again, Kiuwan can help provide insight on such things.)
Third, it’s vital to choose development tools that include (or can incorporate) security scans as part of the process of managing builds, versions and releases. Kiuwan offers plug-ins for the following IDEs:
- Eclipse (Analyzer and Viewer)
- RAD (Rational Application Developer for WebSphere Software)
- IBM Rational Developer for i systems (and more)
- Microsoft Visual Studio (Viewer)
- JetBrains (Viewer) IntelliJ IDEA, PhpStorm, PyCharm (and more)
- Microsoft VS Code (Viewer)
Use the right security tools
Development managers and software architects would do well to consult security experts as well as developers in assembling an application security (AppSec) toolkit. This toolkit should include all the software and analysis tools required to identify and then address or remediate risks, threats and vulnerabilities.
This is where Kiuwan’s code security tools really shine, including Code Security (SAST), Insights (SCA for assessing and managing open source risk) and Code Analysis (QA for code analysis, including IDE plug-ins).
Assemble people with the proper skills and resources
Developers need information and training about how best to consider and incorporate security concerns as a key ingredient throughout the entire development and operations lifecycles. To that end, Kiuwan offers a broad collection of on-demand webinars to help establish and elevate developers’ security consciousness and to foster a deeper understanding and more effective use of Kiuwan’s tools and technologies.
Topics include tutorials on working with specific tools (code scanning, plug-in integration, working with open source components, and more), as well as training on continuous delivery (a stance often termed DevSecOps or even SecDevOps), managing security challenges on distributed teams, effective strategies for working on remote QA teams, and more. Kiuwan won’t leave you to figure out its tools and technologies on your own; you’ll find plenty of help, guidance, and examples.
Pivot DevSecOps into the cloud
Companies need to understand what kinds of security risks cloud providers pose (and most accept), as well as what kinds of security controls they use and offer to their customers to manage security in the cloud. When migrating applications from on-premises resources (compute, storage and networking) into the cloud (ditto), companies must develop a detailed plan to incorporate security objectives, metrics and controls into the mix.
Above all, they must understand how to use scanning and monitoring technologies on their code assets, even in the cloud, and how to patch, update, and remediate as well, even in the cloud. Kiuwan’s tools permit audits and analyses for both local and cloud-based code assets, and its training covers how to detect vulnerabilities on certain SaaS platforms such as SAP.