Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be a 30 minutes or less, interview-style series speaking with some of the top Security Testing experts in the field.
The latest episode of the TestGuild Security Podcast tilted, “Developers are Taking Over Application Security, features Jeffrey Martin. Jeff has spent the last 15 years in Product roles helping both the organizations he worked for and their customers transform and measure their business processes, Development, and QA.
While I highly suggest you carve out 30 minutes to give this podcast a listen, until then, here are 3 key takeaways I found intriguing during the interview (all quotes are from Martin)!
1. Shifting Security Testing Farther Left Than Functional Testing
"It’s kind of funny because oddly Security can actually be shifted even farther left than functional Testing because so much of Security does revolve around which components you select to use from third parties.
“So some of our own research shows that around 80 percent of all code, if you look at just the given products code base is actually comprised of open source of third party components, and only about 20 percent, and in some cases much less, is proprietary. So because of that you can actually in any way shift Security so far left that it’s even pre code, by seeing if the component has known vulnerabilities before you even download it.”
2. Knowing if Open Source Components Have Known Vulnerabilities
“So there's several ways to do this. Kind of the way that I hope most of the audience would be at least beginning to do this is literally looking at the repo for that particular open source project, seeing if there are known vulnerabilities and that you're using the most recent version. It sounds almost insane, but a lot of times people bring in older versions, you know, by accident or because that's what they used last time or because they're copying a different project. So, it starts with using the most recent version. But then once you have that, you can look inside those repos, actually go through all that manual effort yourself. Take a look at the NVD, the National Vulnerability Database, and see if there are known vulnerabilities in that code or you can use a product and automate that for you.
“And actually, several products will, even before you implement it, give you that information inside your IDE or inside a browser plugin.”
3. Security Never Ends
“This sort of reminds me of the functional days because a lot of times until the industry got mature enough to include certain quality metrics and their definition of done, it would be OK. And it has to be good. It has to work, and it has to perform well. The one big difference is, unlike functional testing or even performance testing to a degree, security never ends. Every component you use, more vulnerabilities pop up eventually. There's never a time where you say, yes, this is secure and we're done. That changes a little bit about who's responsible for it. So, kind of go back to what we were talking about a second ago. If once you select the component and you included it in your code, there is the maintenance and the continually monitoring of it. Making sure that it is still secure or when it inevitably has a new vulnerability, that you are going to the latest version. Making sure you're remediating that vulnerability. That becomes almost a DevOps motion by itself in that it's continual and it never really ends. So, it's different from quality in that regard where you can say once this thing works, if we don't change the code, it's going to keep working. You cannot say that Security. You can never change the code and it will still be in unsecure at some point.
Hear the full interview, Developers are Taking Over Application Security, where Jeffrey Martin discussing many topics like Open Source, why developers are taking over AppSec and many other security insights and perspectives!
About Micro Focus Fortify
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.