by Achim D. Brucker
Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.
Keywords:
Categories:
Documents:
Please cite this article as follows:
Achim D. Brucker.
Integrating Application Security into a Software Development Process. 2. Tagung IT Sicherheit: Sicherheit in der Cloud und in Applikationen, 31. jan. 2013.
(slides) (handout) (BibTeX) (
abstract | = | {Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.}, | |
abstract_de | = | {Im Rahmeinens einem sicheren Softwareentwicklungsprozess (SDL) spielt die Statische Code Analyse (SCA) heutzutage eine wichtige Rolle um m{\"o}gliche Sicherheitsschwachstellen bereits zur Entwicklungszeit zu finden und zu beheben. Die gro{\ss}fl{\"a}chige Einf{\"u}hrung statischer Code Analyse stellt eine gro{\ss}e Herausforderung dar. Neben den technischen Schwierigkeiten durch die schiere Anzahl und Gr{\"o}{\ss}e der Softwareprojekte, der Vielzahl unterschiedlicher Programmiersprachen oder die Verwendung dynamischer Programmiermodelle wie sie z.B. bei HTML5/JavaScript {\"u}blich sind, ergeben sich auch nicht-technische Probleme wie die Schaffung des notwendigen Problembewusstseins, Schulung der Mitarbeiter im Umgang der verwendeten Tools oder die Einbindung der Analyse in vorhandene Entwicklungs- und Wartungsprozesse.}, | |
author | = | {Achim D. Brucker}, | |
day | = | {31}, | |
event | = | {2. Tagung IT Sicherheit: Sicherheit in der Cloud und in Applikationen}, | |
handout | = | {https://www.brucker.ch/bibliography/download/2013/talk-brucker.ea-anwendungsssicherheit-2013-2x2.pdf}, | |
isodate | = | {2013-01-31}, | |
lecturer | = | {Achim D. Brucker}, | |
location | = | {Emden, Germany}, | |
month | = | {jan}, | |
slides | = | {https://www.brucker.ch/bibliography/download/2013/talk-brucker.ea-anwendungsssicherheit-2013.pdf}, | |
slideshare | = | {26212694}, | |
slideshare_height | = | {356}, | |
slideshare_width | = | {427}, | |
title | = | {Integrating Application Security into a Software Development Process}, | |
title_de | = | {Ma{\ss}nahmen im Entwicklungsprozess zur Sicherstellung der Anwendungssicherheit}, | |
url | = | {https://www.brucker.ch/bibliography/abstract/talk-brucker.ea-anwendungsssicherheit-2013}, | |
year | = | {2013}, |