Today, up to 90% of security breaches are caused by software vulnerabilities, additionally penetration testing activities commonly occur near the last phase of the Software Development Life Cycle (SDLC). “Shifting Security Left” means that security controls are established at an earlier phase in the SDLC and this, in consequence, lowers the cost of having an appropriate security posture.
The recommended way to accomplish this is by formalizing an Application Security Program (ASP), which commonly entails:
- Finding simply accessible flaws through Vulnerability Scans: which usually identify a third part of the security issues. These issues should be addressed immediately because they are easily discovered by outsiders.
- Complementing Vulnerability Scans with Vulnerability Assessments: which implies involving an experienced Security professional to make sure every control is in place and working as expected.
- Threat Modelling your Application: comprehends having brainstorming sessions between the security and business sides to identify risks the application may encounter and establishing appropriate mitigating actions.
- Performing a Static Code Analysis: helps identify issues in code automatically and this should be complemented with Static Secure Code Reviews which incorporate quality assurance as well as being manually executed. Additionally, some plugins can be added to the development environment (IDE) in order to help developers fix their code before deployment.
- Dynamically Testing your Application: enabling automatic testing of running applications can tell you what and how to fix the issues. There are free and paid software options available.
- Executing Penetration Tests: to exploit vulnerabilities found in the Vulnerability Scanning and Assessment phase.
Ideal actions which could be added:
- Executing Developer Education Programs: with on Secure Coding Practices through peer reviews with a designated security champion, mentoring sessions and talks.
- Establishing your Secure Coding Standards: so developers can have a source to consult good practices for their requirements.
- Giving your collaborators a place to report Security Bugs: through a Responsible Disclosure program.
Last but not least, some actions that companies usually incorporate:
- Enabling Bug Bounty Programs: mainly used by large companies to assess security so as to have many professionals inexpensively reviewing your application.
- Creating Capture The Flag (CTF) Contests: which expose vulnerable systems to attack, giving rewards for resolution.
- Facilitating Red Team Exercises: which implies attacking your production application during business hours without previous notice so as to evaluate its resiliency and contingency preparations.