Are you developing trustworthy software?
The answer to that question is likely to be “No”. A June 2017 Mozilla survey, of the top one million websites analyzed, 93.45 percent earned an “F” for failure to implement basic security measures that would protect them from attacks like cross-site scripting, man-in-the-middle, and cookie hijacking. One of the most startling findings in the 2016 Verizon Data Breach Investigation report was the disproportionate number of web application attacks that result in a data breach. Although attacks on web applications account for only 8 percent of overall reported incidents (whether they were successful or not), attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss. There are good reasons for this: IDC, Gartner, and others have found that too much code, too few experts, and too little time creates pressures that thwart efforts to develop secure code.
Build Security in at the Application Level with our EC:Develop Process
Decades of experience developing large-scale secure systems for a variety of regulated industries led to our creating EC:Develop, our standardized method for creating software products and applications. As a Microsoft Partner with a “Silver” Application Development competency, EC:Develop blends the best of agile development with secure development practices based on libraries and processes published by the Open Web Application Security Project (OWASP Developer and Testing Guides, OWASP Java Encoder and HTML Sanitizer, ZAP proxy for dynamic security testing), National Institute of Standards and Technology (NIST 800.53), International Standards Organization (ISO 27002) and Center for Internet Security (CIS Critical Security Controls), as well as Microsoft’s Security Development Lifecycle.
Key aspects of the process are incorporation of specific security and privacy requirements and risk assessments, 2-3 week develop and test cycles with deployments to acceptance test environments at the end of each cycle, built-in unit and integration testing, vulnerability assessment using Contrast Enterprise, and transparent review of security and code quality.
EC Wise believes in automating any critical or repetitive process; Agile Platform Development requires automation; and Secure Agile Platform Development would be impossible without such automation. By incorporating both Compile and Runtime automation into our processes, EC Wise enables timely, repetitive, and incremental functional deployment of deliverables produced in short “sprints” (often no longer than one or two weeks).
Exposure analysis and mitigation with EC:Develop
Armed with code analysis tools and practices from OWASP and with Contrast Security’s First of its Kind Cyber Security Product that unifies vulnerability detection and attack protection, we can quickly implement a proof of concept that allows you to see attacks in real time, and identify the application vulnerabilities that the attackers are exploiting.
The Contrast Enterprise product, a key component of the EC:Develop process, provides three layers of defense: Protection, Assurance and Visibility. These layers are integrated to deliver personalized protection for an entire application portfolio.