
By Achim D. Brucker.
Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.
Please cite this work as follows: A. D. Brucker, “Integrating application security into a software development process,” presented at the 2. Tagung IT sicherheit: Sicherheit in der cloud und in applikationen, Emden, Germany, Jan. 31, 2013. Author copy: https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/
@Unpublished{ talk:brucker.ea:anwendungsssicherheit:2013,
date = {2013-01-31},
author = {Achim D. Brucker},
lecturer = {Achim D. Brucker},
slideshare = {26212694},
slideshare_width = {427},
slideshare_height = {356},
venue = {Emden, Germany},
eventtitle = {2. Tagung IT Sicherheit: Sicherheit in der Cloud und in
Applikationen},title_de = {Ma{\ss}nahmen im Entwicklungsprozess zur Sicherstellung der
Anwendungssicherheit},title = {Integrating Application Security into a Software Development
Process},abstract = {Static Code Analysis (SCA) is an important means for
detecting software vulnerabilities at an early stage in the
software development lifecycle. The wide-spread introducing
static code analysis at a large software vendor is
challenging. Besides the technical challenges, e.g., caused by
the large number of software development projects, large
number of used programming languages (e.g., ABAP, C,
Objective-C, ...), the use of dynamic programming models such
as HTML5/JavaScript, there are also many non-technical
challenges, e.g, creating security awareness among the
developers, organizing trainings, integration of static code
analysis into the development and maintenance processes. In
this talk, we report the experiences we made while introducing
static code analysis at SAP AG.},abstract_de = {Im Rahmeinens einem sicheren Softwareentwicklungsprozess
(SDL) spielt die Statische Code Analyse (SCA) heutzutage eine\"o}gliche Sicherheitsschwachstellen
wichtige Rolle um m{
bereits zur Entwicklungszeit zu finden und zu beheben. Die\ss}fl{\"a}chige Einf{\"u}hrung statischer Code Analyse
gro{\ss}e Herausforderung dar. Neben den
stellt eine gro{
technischen Schwierigkeiten durch die schiere Anzahl und\"o}{\ss}e der Softwareprojekte, der Vielzahl
Gr{
unterschiedlicher Programmiersprachen oder die Verwendung
dynamischer Programmiermodelle wie sie z.B. bei\"u}blich sind, ergeben sich auch
HTML5/JavaScript {
nicht-technische Probleme wie die Schaffung des notwendigen
Problembewusstseins, Schulung der Mitarbeiter im Umgang der
verwendeten Tools oder die Einbindung der Analyse in
vorhandene Entwicklungs- und Wartungsprozesse.},areas = {software, security},
note = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/}},
pdf = {https://logicalhacking.com/publications/talk-brucker.ea-anwendungsssicherheit-2013/talk-brucker.ea-anwendungsssicherheit-2013.pdf},
}