Before agile development went mainstream, manual security and quality assurance methods were considered adequate for many organizations’ needs. But today’s agile and lean development cycles are simply too rapid for manual approaches to web application security. The challenge now is how to effectively automate security without slowing down development.
A good place to start is to set security requirements and acceptance criteria during the agile story planning process. In agile, this exercise can and should be even more rigorous than the traditional “Big Design Up Front" software development process, where security requirements have either been lax, or mainly focused on documenting authentication and authorization. Since investing in security automation is costly, it’s only sensible to think about and document the goals of this automation. No system is ever perfectly secure.
With agile processes, developers make incremental changes to applications based on close to real-time feedback. Vulnerabilities must also be detected and remediated in near real-time for agile development to stay on track. Unfortunately, traditional security testing tools and methods like dynamic analysis and penetration testing don’t provide a complete security solution for agile environments.
Verification must be easy and lightweight. So how can organizations achieve this security goal within agile timeframes?
The Tradeoffs and Shortfalls of Static and Dynamic Analysis
With static analysis tools, developers can achieve fast and relatively accurate security verification during the QA process, but up-front setup costs can be unacceptably high. By contrast, dynamic analysis comes with lower up-front setup costs, but only moderate accuracy. Can either approach be reliable without manual security and QA effort?
Dynamic and static analysis provide remediation guidance, but remediation is a manual process, which can disrupt rapid agile development cycles. And no test will identify every vulnerability or predict every attack vector that can be encountered by an application once it’s deployed.
With static analysis, code is examined for security vulnerabilities, but only when the code is not running. To do this, the static tool needs to perform complex and deep taint analysis of the code and its many dependencies, making it very time consuming (hardly an ideal solution for an agile environment).
What’s more, in most code bases a fair amount of effort must be invested to configure the static analysis tool to know how and where input validation and output encoding are performed in the code base. However, once these obstacles are overcome initially, static analysis can be performed relatively quickly within the agile development cycle.
Runtime Application Self-Protection as a Complementary Security Technology
An emerging approach to web application security, Runtime Application Self-Protection (RASP), can augment your organization’s existing static or dynamic analysis tools. RASP allows for runtime monitoring of actual attack behavior, for one application or a portfolio of applications. RASP is designed to provide the additional protection needed for dynamic web applications by building security into an application without requiring any code changes. And with RASP, up-front costs are minimal.
RASP technology picks up where dynamic and static analysis leave off, identifying authentication and business logic gaps and informing developers of exactly what they need to fix. What’s more, because RASP operates at runtime, it protects vulnerable applications until remediation can take place, providing real-time protection against exploitation.
Using RASP does not negate or cancel out the use of other security technologies. Developers still need to test for and fix as many vulnerabilities as possible before deployment. Firewalls and other perimeter defenses should still monitor network access, along with identity or access management systems.
To supplement finding vulnerabilities during the agile lifecycle, RASP adds a deep and comprehensive layer of protection to enable applications to secure themselves in real time in the production environment. This allows RASP users to protect critical customer data and the organization as a whole.
Want to find out more? Read our whitepaper, Real-time Web Application Security, to learn how RASP can fit into your organization’s application security program, and for tips on choosing the best web application security tools to fit your organization’s needs.