AI Insights
cancel
Showing results for 
Search instead for 
Did you mean: 

Software assurance a critical component in application security

TracySiclair

By Eric J. Bruno

Application security begins in the design and development phase with software assurance. In fact, 65 percent of a typical enterprise application portfolio comes from third parties, yet 82 percent of third-party code doesn't comply with enterprise security standards on the first pass. Whose responsibility is it to ensure software security? For mobile applications, many assume the application review process ensures safety, yet many applications request access to data or components (such as smartphone contacts or camera) that don't always make sense.

This not only puts users at risk, but also puts the organizations developing these applications at risk of liability. "The supply chain has become a cyber security minefield for companies," says Stephen Boyer, CTO and co-founder of BitSight Technologies. Applying application security measures during development—part of a software assurance practice—can save your company from the liability that security vulnerabilities expose.

computersecuritybreach.j_266169.jpgOWASP Top Ten

The OWASP Top Ten is an awareness document for web application security. Updated every three years, it represents an up-to-date view about what the most critical application security flaws are based on attacks, exposed flaws in third-party code, tools, and research. Its project members include global security experts whose work results in a top-ten list of security vulnerabilities your organization should focus on.

Software assurance safety net

Within your organization, software assurance takes published security risks and data and applies it throughout the entire application development lifecycle. This applies to development and deployment processes (part of your agile and DevOps practices), and other products your organization depends on, including development libraries, open-source projects, development tools, and cloud providers and infrastructure. Anders Wallgren, CTO of Electric Cloud, says that automation combined with DevOps offers added security benefits: "Automated processes come with the extra benefits of being consistent and repeatable, with predictable outcomes for similar actions and tests, and they can be automatically logged and documented. Since DevOps spans your entire pipeline, it can provide traceability from code change to release."

The role of automation

In the end, software assurance is a set of security policies, requirements, and standards your organization uses as a guideline to produce software that ensures the privacy and safety of user data. These need to be agreed upon and applied by everyone within your organization, but automation can help turn this from a tedious policing activity into an ongoing security safety net. Automated security assurance tools provide the following benefits:

  • Collaboration: Encourages security and development teams to consistently collaborate on security issues and resolutions, becoming part of your agile process.
  • Automated reviews: Automates security testing and captures manual security testing and results from across your organization.
  • Reports: Automates updates on security trends, reviews, status, and compliance.
  • Prioritization: Audits your software and performs triage on the results, beginning with higher-priority security issues.
  • Centralization: Provides an accurate view of security risk across your entire organization, with a central repository of all policies, tools, reports, and security test results.

A software assurance program is a must in order to guard against hidden security vulnerabilities. The use of automation ensures this program is kept up-to-date and applied uniformly to all software assets across your entire organization. The result is increased user privacy and data safety, reduced liability for your organization, and greater peace of mind.

Visit our infrastructure solutions page to learn more about achieving predictable IT through automation and orchestration.

 

Eric Bruno.jpg

Eric Bruno is a contributing editor to online publications and journals, with more than 20 years of experience in the information technology community. He is a highly requested writer, moderator and speaker for a variety of sites, blogs, conferences and other events on topics spanning the technology spectrum from the desktop to the data center. He has written articles, blogs, white papers, and books on software architecture and development topics for more than a decade. Mr. Bruno is also an enterprise architect, developer, and industry analyst with expertise in full lifecycle, large-scale software architecture, design, and development for companies all over the globe. His accomplishments span the Internet of Things (IoT), highly distributed system development, multi-tiered web development, real-time development, and transactional software development. See his editorial work online at www.ericbruno.com.

 

0 Kudos
About the Author

TracySiclair

Tracy Siclair has worked for HPE for 20 years in various positions, all geared towards providing a better customer experience. She has a passion for thinking out-of-the-box and finding innovative ways to get the job done. While not on a computer for work, she enjoys watching her kids play sports, photography, videography, and the occasional game of billiards. Tracy resides in beautiful Fort Collins, Colorado.

Labels
Events
Read for dates
HPE at 2019 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2019.
Read more
Read for dates
HPE Webinars - 2019
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all