[ PDF |
BibTeX |
EndNote |
RIS |
Word ]
Integrating Application Security into a Software Development Process
By Achim D. Brucker.
Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.
Please cite this work as follows: A. D. Brucker, “Integrating application security into a software development process,” presented at the 2. Tagung IT sicherheit: Sicherheit in der cloud und in applikationen, Emden, Germany, Jan. 31, 2013. Author copy: https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/
BibTeX
@Unpublished{ talk:brucker.ea:anwendungsssicherheit:2013,
date = {2013-01-31},
author = {Achim D. Brucker},
lecturer = {Achim D. Brucker},
slideshare = {26212694},
slideshare_width = {427},
slideshare_height = {356},
venue = {Emden, Germany},
eventtitle = {2. Tagung IT Sicherheit: Sicherheit in der Cloud und in
Applikationen},
title_de = {Ma{\ss}nahmen im Entwicklungsprozess zur Sicherstellung der
Anwendungssicherheit},
title = {Integrating Application Security into a Software Development
Process},
abstract = {Static Code Analysis (SCA) is an important means for
detecting software vulnerabilities at an early stage in the
software development lifecycle. The wide-spread introducing
static code analysis at a large software vendor is
challenging. Besides the technical challenges, e.g., caused by
the large number of software development projects, large
number of used programming languages (e.g., ABAP, C,
Objective-C, ...), the use of dynamic programming models such
as HTML5/JavaScript, there are also many non-technical
challenges, e.g, creating security awareness among the
developers, organizing trainings, integration of static code
analysis into the development and maintenance processes. In
this talk, we report the experiences we made while introducing
static code analysis at SAP AG.},
abstract_de = {Im Rahmeinens einem sicheren Softwareentwicklungsprozess
(SDL) spielt die Statische Code Analyse (SCA) heutzutage eine
wichtige Rolle um m{\"o}gliche Sicherheitsschwachstellen
bereits zur Entwicklungszeit zu finden und zu beheben. Die
gro{\ss}fl{\"a}chige Einf{\"u}hrung statischer Code Analyse
stellt eine gro{\ss}e Herausforderung dar. Neben den
technischen Schwierigkeiten durch die schiere Anzahl und
Gr{\"o}{\ss}e der Softwareprojekte, der Vielzahl
unterschiedlicher Programmiersprachen oder die Verwendung
dynamischer Programmiermodelle wie sie z.B. bei
HTML5/JavaScript {\"u}blich sind, ergeben sich auch
nicht-technische Probleme wie die Schaffung des notwendigen
Problembewusstseins, Schulung der Mitarbeiter im Umgang der
verwendeten Tools oder die Einbindung der Analyse in
vorhandene Entwicklungs- und Wartungsprozesse.},
areas = {software, security},
note = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/}},
pdf = {https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/talk-brucker.ea-anwendungsssicherheit-2013.pdf},
}