CA Southern Africa, Veracode best practices for container security

Craig De Lucchi, Account Director, CA Southern Africa.

---

As cyber security risks steadily increase, application security has become crucial. That means secure coding practices must be part of every developer’s skillset, says Craig De Lucchi, CA Southern Africa, Account Director. How code is written, and the steps taken to update and monitor it, have a big impact on organisations and their applications.

There are a number of steps that developers can take to help secure software containers, such as enforcing the use of trusted container image repositories, eliminating image clutter by continuously monitoring what’s inside the container and using secret management tools to protect sensitive data.” De Lucchi confirms that scanning software containers for vulnerabilities is also critical.

“Historically, it was standard practice for security teams to perform testing near the end of a project and then hand the results over to developers for remediation. But best practices direct that tackling a list of fixes just before the application is scheduled to go to production is no longer acceptable as it increases the risk of a breach. The tools and processes necessary for manual and automated testing during coding are what’s required,” say De Lucchi.

Additional Veracode software testing services include:

Veracode Static Analysis IDE Scan, a solution that runs in the background of a developer’s IDE to provide immediate alerts and feedback about potential flaws as code, is being written.

Veracode Dynamic Analysis, a web application scanner service that inventories all public-facing web applications and performs both lightweight, production-safe scans and deep scans to identify potential vulnerabilities.

Veracode Static Analysis is an easy-to-use testing methodology that lets developers quickly scan web, mobile and desktop applications. With Veracode Static Analysis, developers can quickly identify and remediate vulnerabilities like cross-site scripting and SQL insertion without having to manage a tool. Our patented technology scans binaries, eliminating the need for access to source code. Results are provided within four hours for 80% of scans, and 90% of scans are completed within a day. With highly accurate results that are prioritised based on severity and include a step-by-step remediation plan, developers can fix flaws faster while avoiding wasting time on false positives.

CA Southern African and Veracode recommend the following best practice security guidelines/tips, including:

• Data protections – they should be on your radar from the outset;
• Upfront, agree on what defines ‘completion’ of a project;
• Consider the OWASP Application Security Verification Standard as a guide to defining security requirements and generating test cases;

• Get involved with the security team to ensure testing methods will fix defects;
• Build proactive controls into stubs and drivers;
• Integrate security testing in continuous integration to create fast, automated feedback loops; and

• Add a security champion to each development team – this is a developer with an interest in security who helps amplify the security message at the team level.

De Lucchi explains that security champions don’t need to be security professionals; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. “Once the team is aware of these issues, it can then either fix them during development or call in CA Southern Africa’s security experts to provide guidance,” he concludes.