Secure by Design: Taking the next steps in application security
For those of us involved with software and systems development, but who happen not to be experts in testing (there are a few of us out here) or application security (ditto), some of the terminology used for code analysis can sound downright mysterious. For example, “black box testing” -- it’s a set of methods to ensure that the essential functionality of a unit of code has been achieved. I.e., you don’t worry about what goes on inside the box, you just want the results, as expected.
By contrast, “white box testing” doesn’t require you to execute the code (well, you could, but let’s keep this simple). Your goal is to test the internal structure of the code. In terms of household electricity, it’s analogous to the continuity test: with the power off, you can determine whether or not a particular light switch is working properly according to its internal design. If not, you’re out a buck fifty to replace the switch; no big deal.
In software development, however, the stakes are considerably higher. Whole businesses and reputations can be seriously compromised by faulty code that slips past poor security testing methods.
Enter “glass box testing” -- another one of those phrases that can conjure up fairytale imagery. Snow White, anyone? In fact, glass box testing is an important mode of analysis that helps teams understand the structural integrity of their code, while combining elements of black box testing.
With this latest release of Rational AppScan Standard Edition v8.5, software and systems development teams get new glass box testing capability with run-time analysis -- which is a form of interactive application security testing (IAST). This is from the press release: “AppScan glass box security testing is the latest evolution of hybrid analysis that combines dynamic (black box) analysis to simulate security attacks with an internal agent that monitors application behavior during the attack. This combination of a remote agent with traditional black box testing provides more accurate test results, identifies new threat categories, and pinpoints specific lines of code and details that help facilitate remediation.”
Today’s highest application vulnerabilities become real when an attacker can access, create, change, or delete data. But application risk also includes compliance demands that require businesses and public entities to secure sensitive data, ensure the privacy of client data, or make services accessible to those with disabilities. To stay ahead in this potentially dangerous game, applications must be secure by design. Which means that security is not an afterthought, in the sense that testing was once considered only a late-stage activity. To be truly secure, testing must be integrated deep into the development lifecycle.
This is where the new release of IBM Rational AppScan can make a difference, by promoting collaboration among the stakeholders and integration into existing development processes.
Please take a moment to read a little more about this important security testing announcement from the IBM Rational software team.