Secure application development involves more than static analysis. Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC, and also that a broad set of software life cycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software.
Parasoft addresses both of these expectations with its Application Security Solution, which recently was awarded the Jolt award in the “Security” category. This integrated system extends Parasoft’s static analysis capabilities—providing a pre-configured system with processes and best practices that help organizations produce secure applications consistently and efficiently.
The complete solution integrates project & task management with a broad spectrum of secure application development practices—including penetration testing, authentication/encryption/access control validation, code review, runtime analysis, and more. It drives security tasks to a predictable outcome according to defined industry standards or management’s expectations. This gives organizations the comprehensive process visibility & control needed to effectively satisfy security requirements.
In addition to enforcing organizations’ unique security policies, Parasoft’s static code analysis automatically identifies common security vulnerabilities with the most comprehensive static analysis rule set in the industry. The rules span the industry’s most popular technologies and platforms, including Apache Axis, WebSphere, Hibernate, servlets, Struts, and EJB 3.
The following partial list includes some of the ready-to-use test configurations for rapidly analyzing code for application security defects:
- CWE-SANS Top 25
- HIPAA Security Assessment
- NIST SAMATE
- OWASP Top 10
- PCI DSS
- Security Assessment
- Secure Coding Best Practices
- Sun Secure Coding Guidelines
For security, Parasoft’s core static analysis capability
can easily be configured to automatically monitor adherence to custom security policies. The rule library includes hundreds of rules that deliver “out-of-the-box” monitoring of many common policy requirements. These static analysis rules can be customized as needed to match specific policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements. Moreover, rule names, descriptions, and severities can be mapped to the organization’s policies, establishing a fully-customized policy management and reporting interface.
Parasoft’s continually-expanding knowledge base of rules–one of the industry’s largest and most extensive–can easily be customized. This provides the flexibility to test for security vulnerabilities within the context of legacy code, proprietary frameworks, specific infrastructure requirements, or particular coding policies. You can filter based on file, package, severity, age of code, category, and more. As a result, you can use the right configuration for the right code to reduce false positives and noise to meet your security priorities.
Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.
- Drives expected behavior throughout the SDLC to promote predictable outcomes
- Delivers an actionable set of tasks that are measurable through completion
- Provides the control needed to continuously improve the process of delivering business applications