Building Better Apps... Veracode and Security Insiders Outline Top Five Development Mistakes to Avoid

News provided by

Veracode, Inc.

07 Jun, 2012, 13:40 GMT

- Taking application security seriously from the start and committing to a programmatic approach sighted as keys

BURLINGTON, Massachusetts, June 7, 2012 /PRNewswire/ -- Veracode, Inc., the leader in cloud-based application security testing, believes securing applications is a team effort.  Everyone from developers to security testers must be aware of how vulnerabilities are created in order to effectively ensure the security of an organization's most valuable data.

"Developing applications is a process that requires building code, testing for inconsistencies and errors, and finally ensuring user data will be secure," said Chris Wysopal, Co-Founder, CTO and Chief Information Security Officer of Veracode.  "Every day we hear of another company getting breached because of failure to accurately ensure the security of applications." 

To keep security top of mind for organizations, Veracode polled a number of application security experts and reached a consensus on some common steps that developers can take to make applications more secure.

The Top Five:

  1. Don't wait until the last minute to include security measures.  Andrew Hay, Senior Security Analyst at 451 Research, and David LeBlanc, Senior Security Technologist at Microsoft, agree that too many developers wait to test an application's security until the application has already been built.  Instead, they suggest thinking about security during the analysis layer to avoid creating major problems. 
  2. Identify the security experts.  LeBlanc says that application developers are too often focused on getting apps to market, meaning that security testing can get skipped. Eoin Keary, Global Vice Chair of OWASP and Director/CTO of BCC Risk Advisory, says that while developers are rarely security experts, it is important that they know who to look to within their organizations for security advice and guidance.   
  3. Engage in further education.  Only a limited amount of time is spent on educating developers on security-related subjects while in school, and in turn most developers having worked with implementing security measures into their applications.  Wim Remes, Manager at Ernst and Young, suggests participating in yearly security awareness sessions offered by top security companies or seeking out additional security training at your local university.
  4. Build a security program that can test all applications.  Many developers address software security on an ad hoc basis, only responding to a particular need at a particular time. Veracode's Chris Wysopal suggests implementing an application security program that can check for threats on the same level as user requirements.
  5. Ensure patching is consistent. When application security problems are discovered, many developers move on, thinking there is nothing they can do about it.  Jack Daniel, Product Manager at Tenable Network Security, advises increasing the amount of monitoring by team members to make sure patching vulnerabilities is the first step in completing the development of the app. 

More information on steps developers and others can take to make applications more secure is available on the Veracode website: http://www.veracode.com/blog/2012/06/building-secure-web-applications-infographic/.   

About Veracode
Veracode is the only independent provider of cloud-based application intelligence and security verification services.  The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components.  By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis.  Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud.  Veracode works with customers in more than 80 countries worldwide representing Global 2000 brands.  For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.