Application security testing/audit and vulnerability analysis

Robust Application Security arrangements are both common sense and a PCI DSS requirement. While network security, system security and penetration testing can be relatively easily separated from software development activities (which explains the abundance of specialist providers of penetration testing services), Application Security permeates the whole development cycle. So having adequate Application Security provisions requires two things:

1. Setting up the security process. It is tricky to introduce Application Security activities with minimum disruption to the existing software development process and in a way which would meet the goals of the company without introducing unnecessary security activities. The goals may vary: some companies would be primarily interested in getting certified for PCI DSS compliance, and some could be introducing in-depth security measures aimed at protecting the company’s own interests rather than the interests of payment card providers. Another difficulty involved is making sure that all the participants of the development process have the necessary knowledge of security matters and are aware of the security requirements relevant to their job role.
2. Living the process. Application Security Audits require specialist skills and tend to be labor-intensive, so even a lean process fine-tuned to the goals of the company would still be expensive to operate. Automatic tools (such as Fortify SCA and PMD) help to an extent but there is still a lot of skilled manual work involved in, for example, reviewing the output of a security code analyzer and separating genuine vulnerabilities from false positives. And of course, no automatic tool can perform security review of business requirements and design documentation, which is a powerful way of catching potential vulnerabilities early and eliminating them before time and money has been wasted on implementing the wrong decisions.

Based on the long experience of performing Application Security work for our customers, Exigen Services is offering:

Shaping up the Application Security Process

• Reviewing the existing security arrangements in the customer’s development process and identifying weaknesses and/or inefficiencies
• Introducing missing stages, standards and artifacts
• Delivering customized training in Application Security to Business, IT Managers, Developers and Testers according to their job roles

Outsourcing labor-intensive parts of Application Security Testing Process

• Security review of business requirements
• Security review of design decisions
• Threat Modeling
• Ongoing scanning of code for security vulnerabilities
• Pre-release white-box security audit of applications and systems
• Review of deployment instructions and network security

Apart from cutting the costs, outsourcing these activities leads to nearly-automatic compliance with Requirement 6.6 of PCI DSS: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team.