The idea of web applications seems timeless, web apps have been around for a couple of decades already and yet we still keep hearing about security vulnerabilities in applications. Indeed the OWASP Top 10, a security group’s listing of the top web app flaws, hasn’t changed much in the past decade. The emergence of mobile applications has only heightened the issues developers face. Balancing time-to-market (in part bolstered by Eric Ries and his “lean methodology” and “minimum viable product” mantras), functionality and security is a difficult balancing act. often security misses out as developers take a “how bad can it be” approach. According to a recent study:
Don't Miss: The hottest Apple Rumors for 2017
- 48% of mobile applications are vulnerable to unauthorized access
- 37% contain sensitive information disclosures
- 33% are vulnerable to cross-site scripting attacks
- 26% use improper encryption
Damning statistics and ones which aren’t surprising when one considers that developers aren’t generally security specialists (and, conversely, security experts tend not to think or talk like developers).
This is where SD Elements comes in – the company offers a “security prescription” that development teams can use. The developers don’t need to know security, the tool does it for them. Essentially SD Elements guides developers through the build process and incorporates security protection into the app from the beginning. Here’s how it works:
- Step 1 – Developers answer a short questionnaire about the app they’re developing. This helps determine the type of features it will include and the risk set that is relevant to the app
- Step 2 – After completing the survey, SD Elements runs an automated risk analysis that brings up every potential vulnerability that may be an issue for the app. SD Elements has the most comprehensive list of software security requirements currently available on the market – and the automated search takes 15 minutes
- Step 3 – SD Elements can be merged into the existing Application Lifecycle Management tools to make the secure coding process seamlessly fit into the regular development cycle
- Step 4 – Using SD Elements, developers are guided step-by-step through the process of remediating risks/flaws as they develop the app, and adding in layers of additional protection. The tool prioritizes tasks and offers very clear guidance (including code samples, embedded training, etc.) for how to implement security. SD Elements also allows the developer to test as they go
- Step 5 – To verify that security is in place, developers can run the app through several popular security scanning products
It’s an interesting approach – instead of using either a pre-configured software security requirement list, or an after-the-fact automated scanning tool, SD Elements works alongside and at the same time as the development process, it’s also a dynamic tool, taking into account new found vulnerabilities and approaches to security. It’s also compatible with existing scanning products so sits nicely in the web app security lifecycle process.
Of course in an ideal world a development environment would edit code on-the-fly to include robust security, but development environments tend to be relatively static, security tools have to be dynamic to react to the ever-changing security landscape.
SD Elements is an interesting approach, if using it means there is less likelihood of vulnerable applications hitting the market, it’s a positive addition to the host of tools that developers have in their toolbox.