Automated dynamic analysis of web applications has become de rigueur for security-conscious organizations, especially those with PCI or HIPAA responsibilities. A number of products exist for automated dynamic analysis, ranging from simple scans to complex cloud-based systems with human oversight. What is less common is the static analysis of applications: looking at the source code with a tool before deployment. I recently completed a review of the major players in this space and implementation of one. What is even less common is the comprehensive integration of security controls into the entire SDLC. This will be a review of my results of analysis, strategy for integration, troubles and solutions for your consideration.
Bill Sempf is a software security architect. His breadth of experience includes business and technical analysis, software design, development, testing, server management and maintenance, and security. In his 20 years of professional experience he has participated in the creation of well over 200 applications for large and small companies, managed the software infrastructure of two Internet service providers, coded complex software happily in every environment imaginable, tested the security of all natures of applications and APIs, and made mainframes talk to cell phones. He is the author of C# 5 All in One for Dummies and Windows 8 Programming with HTML5 For Dummies; a coauthor of Effective Visual Studio.NET and many other books, a frequent contributor to industry magazines; and has recently been an invited speaker for the ACM and IEEE, BlackHat, CodeMash, DerbyCon, BSides, DevEssentials, the International XML Web Services Expo and the Association of Information Technology Professionals. Bill is the project leader of the OWASP .NET Project, and is the Administrative Director of Locksport International.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek