IN THIS ISSUE:
- Spotlight Article: Processes and Tools for Better Security
- Podcast: Eliminating Malicious Code at the Source
- News: Ounce 5.0 Product Review SC Magazine
- News: Software that makes software better The Economist
SPOTLIGHT ARTICLE
Processes and Tools for Better Security
In an environment of complex and serious data security threats, organizations are increasingly recognizing applications as the most common area of attack. In response, some organizations employ security processes, while others implement application-security measures.
While both approaches provide some security, on their own neither is comprehensive enough to provide true security. An approach that integrates both sound process and effective technology provides the best protection of organization and customer data.
Sustainable Processes
Repairing software vulnerabilities after deployment costs 100 times more than doing so before deployment, meaning that post-deployment vulnerability repair is too simply costly.
Integrating security processes into each step of the SDLC makes pre-deployment remediation of software vulnerabilities affordable and achievable. Anthony Gerkis of Accenture and Jack Danahy of Ounce Labs outline these processes in Software Security Governance in the Development Lifecycle. To build security into the SDLC, they urge organizations to:
- Plan for security from the beginning, using risk management to derive security requirements from business objectives
- Design for security to ensure that appropriate security mechanisms are included to meet business requirements
- Build for security in development teams and ensure that the technology and processes are in place to meet security requirements
- Deploy for security by conducting ongoing security reviews and use consistent processes to prioritize and remediate vulnerabilities.
Once processes have been developed, organizations should create a pilot program and evaluate and improve upon its results. With a tested process, deployment the process across the organization is easier and leads to both greater efficiency and greater security.
Effective Tools
Since applications are the source of the most critical vulnerabilities, organizations must use the best tools to secure them.
The Right Tool for the Right Job: An Application Security Tools Report Card, by Ryan Berg, co-founder and chief scientist at Ounce, helps organizations determine what class of applications - web application firewalls, web application scanners, or source code analyzers - best address critical software vulnerabilities.
The at-a-glance report card, based on how these tools fare against the Open Web Application Security Project (OWASP) Top 10, shows that source-code analysis tools provide the greatest benefit to development organizations.
By addressing vulnerabilities at the code level, before deployment, applications are more secure, data better protected, and maintenance costs reduced.
Ounce Drives Better Application Security
Ounce's approach to security is based on people, process, and technology. Our category-leading source-code analysis tool works with any software development process and integrates with the leading IDEs. And, because it reports fewer false positives, it allows developers to more consistently and effectively use the processes created and tools deployed by their organizations to ensure that applications are secure.
To learn more about how Ounce helps secure organizations, visit http://www.ouncelabs.com.
