Streamline Your Software Fixes

Posted by Tom Bain on December 18, 2012 at 9:08 AM

Software is like the weather - its great when the weatherman tells you it will be sunny and 80 degrees, and it actually happens. But when you think it will be sunny and warm, and it rains for 3 days straight, its sort of equivalent to a typical software project not hitting deliverable dates, SDLC principles not adhered to and security certainly not being prioritized throughout the process. 

Adding security to the software development mix - OK, its the application security discipline - can mean different things to different groups at a given organization. Whether its sunny, raining, snowing, etc. 

One thing that is clear is that throughout the software development process, there are multiple issues that need to be addressed - - but from our perspective at SI, the most important is security. We understand that software has to do cool stuff to perform, helping people accomplish something and certainly, for software companies, help them produce a valuable asset to commercialize. 

However, I think we can all aree that software is not created inherently secure, and that its a problem. We have an incredibly unique solution at SI called TeamMentor - its a SaaS-based knowledgebase of secure development guidance, the perfect in-practice companion for dev and security teams to ensure they have a place where they can reference best practices and prescriptive code fixes. 

In a webinar last week, "Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process", Dinis Cruz and I presented 4 major use cases to  help companies understand how we can help, and how TeamMentor can serve as the fundamental, functional solution for development teams. We received a lot of good feedback and I think the reason is we kept it based on how people are using the product to solve real problems, reducing appsec risk and just plain getting better at producing soctware. 

Here's the presentation

Also - here's a little articulation of the 4 use cases - and for those who follow SI, we'll be putting a few of these use cases to the test by way of further demonstrating them for you. So stay tuned, but in the meantime, if you are a member of a security team, development team or a security consultant, these use cases apply to you: 

Static Analysis Integration - Overview:

  • TeamMentor is integrated with the static analysis tools in the latest build. (v.3.2.3)
  • TeamMentor integrates with Microsoft’s open-source product, cat.net. For customers who are not currently using a static analysis scanner, this is a unique opportunity not only to start scanning your software code, but to also gain a new level of insight around remediation, using TeamMentor’s prescriptive secure development guidance. 
  • What makes this offering unique is the cat.net plugin is available for download from the Visual Studio extension library. This is unique as this allows anyone on the development team with a need for reviewing code where known vulnerabilities exist to do so within their IDE, so they a) stay in their environment b) don’t have to manage another tool outside their developer environment and c) they’re able to take the guidance and apply the principals learned along with the prescriptive code snippets to fixing that code. 

Use Cases:

There are a number of use cases for using TeamMentor. Whether you are trying to complement a training program to give developers the secure guidance they need; or provide best practices/checklists to map to, like OWASP; or meet compliance requirements, like PCI, and map your remediation practices in accordance with all 12 PCI requirements.

But there are some very specific use cases that we are starting to see regularly, that are articulated here:

  • Use case 1: Security Team. 
    •  A software vulnerability has been identified.
    •  It needs to be verified.
    •  Where do you go to find the guidance you need? Google? A wiki or internal resource?
  • Use case 2: Security Team.
    • You’ve verified a software vulnerability. 
    • You need to communicate the details of that vulnerability, or set of vulnerabilities, to your team. 
    • How is this accomplished most effectively? 
  • Use case 3: Development Team.
    • You’ve verified the software vulnerability or overall findings - and now you are starting to prioritize it within the SDLC or the scope of your software project. 
    • You have internal development guidelines, and/or security policies you need to adhere to, and map your fixes against.
    • How can you streamline this process to make it efficient? 
  • Use case 4: Development Team with Tools.
    • Your tool(s) report findings.
    • You need to extract some context and intelligence from the results. 
    • The findings point to guidance that is specific to your findings. 
    • Now you fix the vulnerabilities and you re-scan for a continuous process that maps to an SDLC approach.

Hopefully this is helpful for you, like a weatherman's correct prediction of sun, or at least a recommendation, like "bring an umbrella b/c its going to rain - sorry about that."

If you want to try TeamMentor, click here. If you want to view videos on what TeamMentor is and how it works, click here. (You'll also be able to see previews of our TeamProfessor appsec eLearning courses here too)

Topics: application security

Tom Bain

Written by Tom Bain