3. Static Source Code Analysis: Develop phase is where it all happens. Developers are given precise directions on what to code, functionalities, database interactions, source code version controllers, SharePoint access, and some basic security requirements related to Authentication and Access Control. The source code is developed per requirements provided to the Developers and if required integrated with any third party applications / APIs (Application Programming Interface).
Source code analysis are also called as ‘Whitebox Testing’ as the Security professionals have complete access to the source code and can easily identify code level security vulnerabilities. Security can be integrated during the Develop phase by introducing Static Analysis Security Testing (SAST) tools. These tools work similar to the Lexical analyzers which read the source code character by character, put some logic or rules or rulepacks, attempt to identify security vulnerabilities based on some predefined criteria, risk rank the identified vulnerabilities and display it back to the end users.
We now understood what happens in the Develop phase and which type of tool to be used for Source Code Analysis. What next?
Organizations have to come up with a process / workflow to initiate the Static Source Code analysis process, identify security vulnerabilities at the code level and fix them even before the code moves to the next phase. An example of Source Code Analysis Methodology can be something as follows:
To sum it up:
- Prepare and follow a Secure Code Methodology
- Identify security vulnerabilities at the code level (always consider an Hybrid approach, that is a combination of Automated tool and Manual Secure Code Review)
- Risk rank each identified vulnerability
- Provide relevant fix recommendations
- Carry forward all artifacts and observations to the next phase of SDLC
Benefits of integrating Security in Phase3:
- Security vulnerabilities at the code level are addressed
- Some of the Critical vulnerabilities related to Session Management, Backdoors and more that cannot be identified by Penetration Testing tools can be easily identified and fixed
- Security vulnerabilities can get fixed by the Developers while they are still in the Project, this drastically reduces the Resource Management, additional Effort and Cost to the Business thus brings in an excellent feedback from your respective Clients/Customers