Contributed By
Taylor Armerding, Software Security Expert, Synopsys Software Integrity Group
“If tools aren’t used correctly, at the right time, and in the right way, they can flag an overwhelming number of potential vulnerabilities, many of them insignificant or irrelevant to a particular project. And that can frustrate development teams to the point that they could start ignoring the warnings or even disabling the tools, undermining the security those tools are meant to enhance.”
That, according to Meera Rao, is one of the biggest challenges of embedding security into DevOps and yielding effective DevSecOps.
Rao, senior director for product management (DevOps solutions) at Synopsys, notes the reality that “at every stage in the pipeline or even in your SDLC, you have many security activities to perform, and each and every one of them gives you vulnerabilities. That can lead to defect overload.”
By now, that list of DevSecOps testing tools and other security tasks is fairly standard. At the start, security teams should conduct threat modeling and risk analysis based on what an application is expected to do and what kind of input, if any, it will handle. Obviously, a page on a website that accepts user input including personal and financial data needs more rigorous security than one that simply provides information, such as the locations of company offices.
During the coding and building phases, automated tools like static, dynamic, and interactive analysis can flag bugs and other defects that could be exploited. Fuzz testing can check how the software responds to random, malformed input. Software composition analysis (SCA) can help find open source components that may have security defects and/or licensing conflicts.
This story is from the {{IssueName}} edition of {{MagazineName}}.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber ? Sign In
This story is from the {{IssueName}} edition of {{MagazineName}}.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber? Sign In
Should I Buy Cyberinsurance?
Personal cyberinsurance covers a range of cybercrimes such as cyber extortion, cyberbullying, online fraud, and data loss.
Quick Tips: Five Things To Do If You Get Hacked
It might seem like an obvious choice at first, but many people often resort to panic-clicking device options, rebooting, Googling for solutions, calling tech support (or that tech-savvy friend) for help, all while leaving the compromised device connected.
CLASH OF THE EXECUTIVE SALOONS: BMW 5201 VS MERCEDES-BENZ E200
The BMW 5 series and Mercedes-Benz E-Class are motoring institutions.
SENNHEISER TULLAMORE FACTORY TOUR: HOW THE WORLD'S BEST HEADPHONES ARE MADE IN IRELAND
It’s a relatively common practice for brands to have separate facilities for parts manufacturing and product assembly, whether it’s for cost or other reasons.
Tech Awards 2024 Readers' Choice
BEST OF PERSONAL COMPUTING
Good For Nothing
After a rocky start with the Nothing Phone (1), the company turned things around by releasing the incredible Nothing Phone (2).
A For Affordable AI
The Google Pixel 8a has arrived, offering many features from its flagship siblings at a more affordable price. It maintains a sleek, compact design, making it easy to handle with one hand.
Mercedes Benz EQS SUV
Mercedes-Benz's adoption of electricity has been impressively rapid.
5 Steps To Secure Your Home With A Mesh Network
Firewalls filter data in network traffic to protect the network from a wide variety of malicious attacks and malware.
The Best Hair Straightener
When I first saw the Dyson Airstrait straightener, my immediate feelings were one of cautious optimism.