Market-leading tools and services
to meet your software security challenges head-on
Find and Fix Security Defects While You Code
Build Security In
As the business-criticality of software grows, it becomes increasingly important to ensure that your company’s software, and the confidential data that it manages, is protected and secure. Many organizations are now adopting software security procedures and deploying technologies to counter the issues associated with the development of insecure code. Testing for security bugs is important, but only finds bugs already in the code. It doesn’t prevent bugs. Ultimately, application development teams are responsible for building secure software. “Building Security In” fixes bugs before the code is committed and reduces remediation costs.
Developer training is important, but must be reinforced
Computer-based and instructor-led training programs are designed to build secure coding knowledge within an organization. Lessons must be reinforced as the developer works, or else that knowledge quickly diminishes. Some studies suggest that without reinforcement, the knowledge gained through training is reduced by 50% within one week!
Reinforcement often comes from a review of training material or corporate best practice documentation. However, this guidance is frequently static, not updated as the threat space changes and may be difficult to access. More important, the developer must be aware of the need for guidance, then break from his normal workflow to access the guidance. Without the timely delivery of guidance, when and where it is needed, security bugs continue to plague the code.
The correct approach to these challenges is to shift the focus from reactive remediation to proactive security. Instead of focusing on new ways to find bugs already in the code base – organizations should provide developers with the guidance they need to build expertise and to PREVENT bugs from entering the code base.
SecureAssist – Just-in-Time Secure Coding Guidance in the IDE
Cigital SecureAssist is an IDE plug-in that automatically provides “just-in-time” security guidance, as the code is written. Rather than scanning for bugs after code is written and committed, SecureAssist acts as a desktop security expert, providing guidance automatically when developers create code where risk may be introduced.
Security “Spellchecker” in the IDE
Just as a spellchecker detects spelling and grammar issues, SecureAssist automatically detects risky code. Issues are itemized within the IDE and linked to the line of code where problems appear. SecureAssist allows developers to FIX bugs before they enter the codebase, and is part of a proactive strategy to provide expert and validated guidance, immediate feedback and support corporate security standards.
Consistent, Accurate and Contextual Guidance
The guidance in SecureAssist is consistent, reliable and accurate, meaning that all of your developers will receive the same, company-approved guidance. Bug descriptions provide information on the risk in its various forms and explains how the risk can be exploited. Code Examples provide best practices for mitigating the risk in question, along with both preferred and negative code examples. Rather than present generic guidance, SecureAssist understands the context in which the risk is introduced, and can provide guidance appropriate for that environment. A user doesn’t need to sift through information on .NET applications when she is working on a Java application.
Customized Guidance to Meet Internal Standards
SecureAssist’s rules and guidance can also be easily customized to meet internal secure coding standards. If a company has internal best practices for addressing certain risks, SecureAssist will present those to the developer. Whether it is internal coding conventions, encryption routines or specific code examples, SecureAssist can meet an organization’s needs.
Ready to start building more secure software? Visit the Cigital Marketplace to purchase SecureAssist licenses and start finding and fixing security vulnerabilities now.