As discussed in the recently-released SANS Institute report, 2018 Secure DevOps: Fact or Fiction?, many organizations are bound by constraints around privacy and access (e.g. GDPR, PCI, PII), federal regulations, and mandated oversight. With these boundaries, to ensure a successful DevSecOps strategy, it is critical to integrate automated security testing into development workflows:
– 2018 Secure DevOps: Fact or Fiction?
The report also highlights that over 50% of organizations surveyed consider existing legacy applications as risky, making up over 14% of breaches — with a significant number of applications leveraging .NET (over 30% of respondents).
The newest release of dotTEST focuses on helping organizations mitigate the business risks inherent in today’s applications, addressing these challenges with expanded static analysis capabilities and the introduction of a new Security Compliance Pack that brings compliance reporting for OWASP, CWE, and UL-2900 to .NET development teams.
This release expands Parasoft’s support for the most important .NET security standards with complete support for the OWASP Top 10 and the broadest support for CWE in the industry. This comprehensive support enables teams to build security into their software quality process, executing deep code analysis directly within Visual Studio, as well as a part of the CI/CD pipeline through the command-line interface and CI plugins (available for Jenkins, Bamboo, TeamCity and Azure DevOps).
Looking at OWASP Top 10, for example, Parasoft’s comprehensive support helps users achieve compliance with the recommendation by enforcing security from the start of development and throughout the software lifecycle by:
If your team is looking at the CWE Top 25 for security guidance, then Prasoft’s policy-driven approach helps your organization reach the security goals while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.
In line with our support for OWASP Top 10, Parasoft’s out-of-the-box CWE mappings mean that users don’t have to waste time trying to figure out what checkers are for which CWEs when configuring, and when fixing, users will always inherently know which CWE being worked on because the static analysis checker names tell you.
In addition to new rules and configurations, the Security Compliance Pack includes new Compliance Reporting for both OWASP and CWE that includes:
Example compliance report for OWASP
The Security Compliance Pack also introduces new OWASP and CWE specific dashboards and widgets that help organizations streamline the process of efficiently achieving (and maintaining) compliance. Mapping static analysis violations to OWASP’s Risk Scoring and CWE’s Technical Impact and Development Concepts enables organizations to understand the level of risk in association with the standards, along with where exactly the risk lies. Parasoft also provides a streamlined workflow to navigate and prioritize the violations to ensure that the team works most effectively.
Widgets showing OWASP Compliance and Violations, categorized by Risk
Widgets showing CWE Compliance and Violations categorized by Development Concepts and Technical Impact
Many of today’s enterprise systems are built on top of the .NET platform, so it is critical for these applications to be reliable and secure for businesses to succeed. The recent release of Parasoft dotTEST introduces the key capabilities needed to help .NET development teams ensure that their applications are reliably secure.
VP of Products at Parasoft, Mark is responsible for ensuring that Parasoft solutions deliver real value to the organizations adopting them. Mark has been with Parasoft since 2004, working with a broad cross-section of Global 2000 customers, from specific technology implementations to broader SDLC process improvement initiatives.