Addressing New-Age Security Testing challenges with focused technology platforms

1

Addressing New-Age Security Testing
challenges with focused technology platforms
2
Key reasons for Integrating Performance Testing
Tools in the world of DevOps
The days of developers creating every line of
code from scratch are over. The intense demand
for newer, better software means development
cycles have become correspondingly intense.
Moreover, the need for Continuous
Testing/Development, and Continuous Integration
is growing, as Application Development keeps
getting complex. Challenges pertaining to
Security Testing and Database testing are
increasing with the burgeoning Cybersecurity
threats for all kinds of enterprises. In turn,
developers need to rely on the pre-built
functionality in open source libraries to keep up
with the development and testing challenges.
However, the problem with this practice is that
it also introduces a whole new layer of
vulnerabilities into organizations code. More
often than not, these vulnerabilities are more
difficult to identify than those in first-party
code. Whilst this has been a known issue for some
time, organizations are only now seeking second
generation solutions that address the business
issue in a more comprehensive way. These
solutions and expertise can be defined and
offered with strategic partnerships in the
industry. CA Veracode, Cignitis strategic
partners in the Security Testing domain recently
acquired SourceClear Technologies. With this
acquisition, Veracode enhanced and expanded
Cignitis joint software composition analysis
offering helping developers code with both
speed and security. Cignitis Security TCoE
consists of dedicated teams of security testing
specialists with deep expertise spanning multiple
domains/industries, cutting-edge technological
resources/tools. Following are some of the key
requisites for testers and developers while
dealing with security and related development and
testing challenges.
3
Key reasons for Integrating Performance Testing
Tools in the world of DevOps
Vulnerable methods worry (less) about what you
dont have to worry (a lot) about In many cases,
when developers pull in an open source library,
they are only using one small piece of it.
Typically this may be only one method or
function. If the overall classification of the
library being tagged is vulnerable, you must know
if your data is passing through the vulnerable
part, or if the method or function being used is
not vulnerable, and therefore safer to consume as
part of your code base. By using control flow
analysis, the SourceClear scanner can tell if the
function in an open source component containing a
vulnerability is actually being called by your
first-party code. This allows developers to
better prioritize work, and dramatically
decreases remediation work, in some cases by up
to 90 percent. This is where Veracode allows
business to continue with great security
insight. Dependency mapping do you really know
the number of libraries you are calling? When
developers are building open source libraries,
they often leverage and call other open source
libraries. These libraries might well contain
methods from a third library and so you can
quickly understand the compound threat effect
that can quickly arise. The end result is layers
of open source libraries connected together and
where it is common for vulnerabilities in open
source libraries to be five or six levels removed
from your first-party code. Pragmatically, and as
part of better understanding of what risks are in
your code base SourceClear has the ability to
map these dependencies through all the open
source code in use. In this way, you can identify
vulnerabilities you would never know about.
Importantly you can then
4
Key reasons for Integrating Performance Testing
Tools in the world of DevOps

Proprietary vulnerability database its not
JUST the NVD that matters get AHEAD of the
attack SourceClear identifies vulnerabilities
that are not in, or havent yet made it into, the
National Vulnerability Database (NVD). To unearth
these vulnerabilities, SourceClear scours all
open source repositories and scans the code. But
that alone is not enough. You also need to scan
the metadata, commit logs, bug fixes, patch notes
as well as any other developer comments. The
SourceClear platform then uses a machine learning
algorithm (verified by humans) to find security
issues that have not been found or disclosed yet.
This combination approach gives unparalleled
levels of insight. Read Full Blog at
https//www.cigniti.com/blog/addressing-new-age-s
ecurity-testing-challenges/
5