Secure by Design: Developing Apps Without Flaws Takes the Right Tools
Building secure enterprise applications starts at the design phase. But it has taken a long time to create tools that help ferret out code flaws and teach developers how to write better code.Developers have long struggled with the security conundrum of how to quickly deliver apps that are as inherently secure as they are robust, reliable and efficient. In today's fast-paced world of mobile, social, cloud and often complex enterprise applications, pressure is on developers to produce applications faster than ever. Yet, despite that pressure to deliver more apps faster, there is just as much pressure—brought on by those same mobile, social and cloud factors—to deliver applications that are more secure and reliable than ever before. What's a developer to do? "Time-to-market pressure results in continually shrinking software delivery windows, while the business risks associated with software defects have never been greater," said Jennifer Johnson, chief marketing officer for Coverity, the maker of the Coverity Development Testing Platform, an integrated suite of software testing technologies for identifying and remediating quality and security issues during development. Coverity's platform automatically tests source code for software defects that could lead to product crashes, unexpected behavior, security breaches or even catastrophic failure. According to IBM, application security vulnerabilities can be introduced in various phases of the development cycle. The requirements and design process fails to consider proper security; flaws are introduced inadvertently or purposely introduced into the code during the software implementation, or during deployment because a configuration setting did not match the requirements of the product within the computing environment—for example, when unencrypted communication is allowed over the Internet.
To limit such occurrences, IBM has instituted a structured development process for delivering secure applications called the Secure Engineering Framework, which recommends the use of automated security analysis tools and proven certified security components.