Secure Software Development Resource Center
Secure Application Code Matters
Software vendors are faced with a conundrum when it comes to the development of secure software code. There are so many secure architectures, hardware features, and strategies (including secure boot, access control, secure multi-party computation, supply chain policing and domain separation to name just a few) that it would be easy to suppose that secure code born of a Secure Software Development Lifecycle doesn't really matter. But the truth is that no single security feature can provide development teams with complete protection from bad actors.
Here's why secure software - and hence software developers - have a key role to play as part of a
Hacking is indiscriminate, easy, cheap and lucrative for unscrupulous members of society. Neither is it unique to the web applications with which it is traditionally associated. Any system with security vulnerabilities that is connected to the internet can just as easily fall victim to bad actors, and that includes your connected device - irrespective of the programming languages you use. Read what makes your application a prospective target, whatever its purpose.
A defense-in-depth strategy is often referred to as the "Castle Approach", but that perhaps ignores the pragmatic consideration of cost. Simply applying the maximum security option to every possible level is not always proportionate to the level of risk should defenses be breached. Read about the importance of applying security defenses that complement each other such that each defends the others weaknesses, and understand how secure software coding fits into that scenario.
Endpoint security traditionally refers to the protection of computer networks that are remotely bridged to client devices such as laptops, tablets, and mobile phones - the prerogative of a web developer. But the Internet-of-things (IoT) and Industrial Internet of Things (IIoT) have broadened their definition to include embedded connected devices too. Learn more about defense in depth and secure applications, and the significance of endpoints in IoT and IIoT security.
Secure Application Code Matters
There are so many factors that contribute to the security of a connected device that it would be easy to overlook the role of application code
Here's why it matters.
Hacking is indiscriminate, easy, cheap and lucrative for unscrupulous members of society. Read why that makes your application a target.
The security of any connected system depends on its “defense in depth.” A key element of that defense in depth lies in secure software development.
Learn more about defense in depth and secure applications, and the significance of endpoints in IoT security.
SSDLC: The Secure Software Development Lifecycle
Today's connectivity brings new responsibilities for software engineers. Traditional practice for secure code verification is largely reactive such that code is first developed in accordance with relatively loose guidelines and then tested to find potential vulnerabilities.
A Secure Software Development Life Cycle (SSDLC) offers a better, more proactive approach by applying computer science as an engineering discipline. Mirroring the thinking promoted by functional safety standards, establishing security requirements and developing software to fulfill them represents a "shift left" approach to designing in security from the off.
Static analysis is key to the shift left paradigm, helping to ensure that vulnerabilities are minimized in the source code even as it is written. But static analysis alone takes little account of underlying security of the infrastructure on which the code will be executed, making supplementary white box dynamic analysis equally important. Tracing code and tests to requirements bidirectionally ensures that all security requirements are implemented, and that there is no surplus code potentially offering "back door" methods. Traditional black box dynamic security test tools such as fuzz and penetration tests ultimately have a role in providing reassurance that the resultant code is secure.
Static Application Software Test (SAST)
The term "static" referenced in the "SAST" acronym refer to tools that automatically inspect source code. Such tools are designed to spot issues that are likely to lead to vulnerabilities when that code is compiled and executed later. Learn how SAST tools can be applied early in the secure SDLC to avoid the inclusion of those security vulnerabilities. Understand the role of coding standards and associated code reviews for different programming languages, and how they help to lower the cost of secure application development.
Read about the implications of complex code, and how to limit that complexity to minimize the security vulnerabilities in your code.
White Box Dynamic Application Software Test (DAST)
The term "Dynamic" referenced in the "DAST" acronym refers to tools that execute the source code to analyse and test its performance - either with reference back to the source code (white box), or without it (black box).
Learn how software engineers can apply white box DAST techniques such as unit test, integration test and system test in conjunction with structural code coverage analysis and bidirectional requirements traceability to protect the integrity of their source code, and how those techniques complement SAST and traditional black box DAST techniques such as fuzz testing and penetration testing.
DAST in Practice
Secure Software Development For Automotive Applications
Connected cars are among the biggest and most complicated of connected devices. In an industry where the use of open source software is commonplace and where security and safety are interwoven, security vulnerabilities must be kept to a minimum. Small wonder that standards such as SAE J3061 and ISO/SAE 21434 are finding increasing levels of adoption throughout the automotive sector.
Learn more of secure software development in the context of automotive security.
Securing the IIoT
Traditionally, industrial embedded applications have been secure through isolation.
But the massive increase in demand for connectivity for monitoring and control purposes, the potential for mischief is manifold - especially if legacy or open source code is exposed to vulnerabilities it was never designed to cope with.
If the security of an IIoT environment is poorly implemented it can have a drastic impact on the software security of an entire organization. Read why the secure SDLC is key to IIoT security.
We chose the LDRA tool suite because it covers comprehensive static analysis and has very good dynamic analysis capabilities
LDRA rules has been invaluable to us. I would estimate that we have saved at least €200k by using the tool, which represents a very speedy return on investment for us
LDRA Is Here To Help
For more than 40 years, LDRA has developed and driven the market for software that automates code analysis and software testing for safety-, mission-, security-, and business-critical markets. Working with clients to achieve early error identification and elimination, and full compliance with industry standards, LDRA traces requirements through static and dynamic analysis to unit testing and verification for a wide variety of hardware and software platforms. Boasting a worldwide presence, LDRA has headquarters in the United Kingdom, United States, Germany, and India coupled with an extensive distributor network. For more information on the LDRA tool suite, please visit www.ldra.com.
ISO 9001 | TÜV Certification
The TÜV and ISO certificates each say something a little different about LDRA and its products. ISO 9001 certification demonstrates LDRA’s ability to consistently meet and exceed customer expectations. And TÜV approval of software test tools suggests something more specific about the capabilities of the products, and their capacity to meet the exacting demands of the world’s predominant functional safety standards.