Are you developing trustworthy software?
The answer to that question is likely to be “No”. According to a June 2017 Mozilla survey, of the top one million websites analyzed, 93.45 percent earned an “F” for failure to implement basic security measures that would protect them from attacks like cross-site scripting, man-in-the-middle, and cookie hijacking. One of the most startling findings in the annual Verizon Data Breach Investigation Report (DBIR) has been the finding that web application attacks disproportionally result in data breaches. The 2020 DBIR reported that 43% of breaches could be traced back to attacks against web applications – more than double the prior year. There are good reasons for this: too much code, too few experts, and too little time creates pressures that thwart efforts to develop secure code.
Build Security in at the Application Level with our EC:Develop Process
Decades of experience developing large-scale secure systems for a variety of regulated industries led to our creating EC:Develop, our standardized method for creating software products and applications. As a Microsoft Partner with a “Silver” Application Development competency, EC:Develop blends the best of agile development with secure development practices based on libraries and processes published by the Open Web Application Security Project (OWASP Developer and Testing Guides, OWASP Java Encoder and HTML Sanitizer, ZAP proxy for dynamic security testing), National Institute of Standards and Technology (NIST 800.53), International Standards Organization (ISO 27002) and Center for Internet Security (CIS Critical Security Controls), as well as Microsoft’s Security Development Lifecycle.
Key aspects of the process are incorporation of specific security and privacy requirements and risk assessments, 2-3 week develop and test cycles with deployments to acceptance test environments at the end of each cycle, built-in unit and integration testing, vulnerability assessment using cutting edge tools, and transparent review of security and code quality.
Automating repetitive processes is critical: Agile Platform Development requires automation; and Secure Agile Platform Development would be impossible without such automation. By incorporating both Compile and Runtime automation into our processes, EC Wise enables timely, repetitive, and incremental functional deployment of deliverables produced in short “sprints” (rarely longer than two weeks).
Exposure analysis and mitigation with EC:Develop
Armed with code analysis tools and practices from OWASP and with modern tools that unify vulnerability detection and attack protection, we can quickly implement a proof of concept that allows you to see attacks in real time, and identify the application vulnerabilities that the attackers are exploiting.