| INFORMATION |
| Published : |
Jul 05, 2007 |
| Length : |
16 |
| Type : |
White Paper |
|
| |
|
|
|
| Overview : |
The path to application security begins by rigorously testing source code for any and all vulnerabilities, to ensure the application will not compromise, or allow others to compromise, data privacy and integrity. This paper outlines the steps to secure source code development practices, and presents a source code security review checklist.
- Where to Look for Security Vulnerabilities
- How to Look for Security Vulnerabilities
- What to Examine - Five Classes of Source Code Vulnerabilities
- Applying the Source Code Security Review Checklist
- Appendix: Source Code Security Review Checklist
For companies using custom-built, outsourced, or open source applications in-house, ensuring all current and legacy code is secure is no small challenge. Detecting and eradicating security vulnerabilities has historically been extremely difficult. Many organizations relied on manual code review, which is costly and labor-intensive, as well as penetration testing, which examines only a subset of potential security vulnerabilities in an application.
While both of these code review approaches have their uses, automatic source code analysis tools now allow companies to approach secure code development in a more systematic, automated, and successful manner. These source code analysis tools greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle. In fact, the best tools can pinpoint each security vulnerability at the precise line of code and provide detailed information about the type of flaw, the risk it poses, and how to fix it.
Application security testing tools alone won't result in application security. Rather, such tools help developers and code reviewers assess applications - even those with many millions of lines of code - to identify the most potentially damaging security vulnerabilities. This allows development and remediation teams to prioritize their efforts, and take a risk-based approach to remediating the code base, starting with the most critical problems first. |
|
