9 Secure by Design Tools
Secure by Design has been around for a while now, with organizations like CISA promoting these security practices, and even encouraging businesses to sign its Secure by Design Pledge.
1 - Secure Code Review - Coverity by Black Duck
Secure code review is a manual or automated process (both have pros and cons) that examines your application’s source code. This review aims to find existing security flaws or vulnerabilities. They specifically target weaknesses that may compromise the application’s security. Find out more in this blog from our partner, Black Duck: https://www.blackduck.com/glossary/what-is-code-review.html
Black Duck has its own tool for reviewing secure code, which is called Coverity.
Coverity provides comprehensive analysis for 22 programming languages, more than 200 frameworks, and many popular infrastructure-as-code platforms and file formats.
2 - Static Application Security Testing (SAST) - Snyk Code by Snyk
Static Application Security Testing (SAST) tests the source code of an application to identify security vulnerabilities at an early stage, usually during the development process. There are several benefits to using SAST tools, such as shifting your security left, to be more Secure by Design, and saving on the cost of remediation work. It identifies specific vulnerabilities which allows developers to take action to fix quickly and effectively. Finally, it can also help with compliance needs and audit considerations.
Snyk has a product called Snyk Code which provides real-time scanning and fixing, developer-friendly remediation steps, plus it also carries out automatic scanning from IDE environments in line with developer code, integrating this into the build process itself. All of which contribute to adopting Secure by Design approaches and activities.
3 - Dynamic Application Security Testing (DAST) - ZAP by Checkmarx
Another security testing method is Dynamic Application Security Testing (DAST) which analyzes a running application in real-time to find vulnerabilities and security weaknesses from an attacker’s perspective. It is a great approach for legacy systems or for products where you may not have the source code. DAST mimics attacker behavior for real attacks like cross-site scripting (XSS). It is also effective within testing environments.
Zed Attack Proxy (ZAP) by Checkmarx is a free, open-source web app scanner. As described by Checkmarx itself; ‘ZAP is designed specifically for testing web applications and is both flexible and extensible. At its core, ZAP is what is known as a “manipulator-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application and as a daemon process.’
4 - Interactive Application Security Testing (IAST) - Seeker by Black Duck (formerly Synopsys)
To conclude the third ‘AST’ method, Interactive Application Security Testing (IAST) combines both SAST and DAST by analyzing code as the application is running, allowing it to detect vulnerabilities while the application is being actively executed - all in real-time. IAST is especially beneficial for DevSecOps, as it allows security testing to be embedded directly into the development and testing phases. Shifting security left, and supporting security by design.
Seeker by Black Duck (formerly Synopsys) aids QA, DevOps, and security teams to automate the security testing of modern web applications and services. This too integrates with CI/CD pipelines and workflows, and gives a real-time view of the top security vulnerabilities, all while delivering insights into the sensitive data flow and API for immediate remediation.
5 - Automated Threat Modeling - Enterprise by IriusRisk
Threat modeling is a structured approach for identifying, assessing, and addressing potential security threats to an application, system, or network, all before an application is deployed. It is the ultimate shift left and Secure by Design activity to analyze potential vulnerabilities and weaknesses, predict possible attack vectors, and proactively design defenses. It provides an earlier detection of threats and weaknesses, while allowing organizations to conform with the necessary compliance requirements. Threat modeling also provides a list of security controls to mitigate the threats and weaknesses, meaning a more secure product goes into the live environment.
Enterprise Threat Modeling Tool by IriusRisk is an AI-infused, automated threat modeling solution that allows users to augment existing efforts to map out architecture, pinpoint threats, and take action with a list of prioritized countermeasures. For compliance and auditing needs, IriusRisk offers a comprehensive security library of standards that can be applied to take action on the threats that will remediate the governance-related risks.
6 - Application Security Posture Management (ASPM) - Apiiro
ASPM supports Secure by Design principles as it gives a comprehensive view of application security, throughout the software development lifecycle (SDLC). It provides continuous security monitoring even as new features and code is added to the application. One other benefit is that ASPM tools are usually good at integrating with other security tools to enhance efforts and insights further - including integration of several of the tool types above.
ASPM by Apiiro provides a deep, always up-to-date application and software supply chain inventory, with useful prioritization based on risk likelihood and impact. Its dynamic risk engine leverages a full stack analysis to define and continuously calculate risk. You can also make use of risk dashboards and reports for further context and actions.
7 - Software Composition Analysis (SCA) - Veracode
Software Composition Analysis (SCA) focuses on identifying and managing open-source components and third-party libraries used within software applications. SCA tools scan for vulnerabilities, potential compliance issues, and unsupported software versions. Some great aspects of SCA include discovery of all open-source libraries and dependencies used within the app, as well as the ability to check dependencies against vulnerability databases.
SCA by Veracode makes it easy to immediately test in your development environment, reduce the fix time, and automate open-source policy and guidance. Veracode can generate an SBOM for an inventory of open-source components and detect license risk, manage usage, and avoid penalties, while keeping up to date with evolving open-source libraries.
8 - Developer-Centric Secure by Design Tool - Bex AI by IriusRisk
Finding the ultimate ‘Secure by Design tool’ may not be an easy task. However, Bex, the AI Companion from IriusRisk, aims to provide guidance to developers on ways to make their products more secure. It is like talking to a helpful security colleague giving you actionable steps to mitigate and improve - all within Jira. In Atlassian Marketplace, Bex AI can be installed for free for a limited time.
Bex responds to users in order to provide further information on why a problem was flagged, give additional context to cyber security threats, and to recommend ways of mitigating the threats.
This conversational approach to security makes adoption of this plugin easy for development teams. With no limitation on use or scale. Development teams don’t need to be security experts, Bex gives them a self-sufficient approach to secure what they are working on. Taking action is as simple as:
- Creating a Jira task or loading an existing one
- Asking the Bex AI plugin to assess the issue
- Reviewing the recommended actions
- Adding the recommended actions as comments to the Jira task for further collaboration and implementation
9 - Secure by Design as a Framework
This last one isn’t a tool, as you might have gathered. However, if you are already implementing secure code reviews, DAST, or something similar, and are unsure if a specific tool can help further - perhaps you just need to adopt a Secure by Design approach to security instead.
What does this mean? A Secure by Design framework is an approach or set of guidelines that organizations use to implement security considerations into the design and development phases of software - instead of doing as an afterthought later. Creating your own set of principles to ensure security is considered and carried out in the design phase, not only creates robust and more secure applications, but improves your security posture and understanding even further.
The Cybersecurity Infrastructure and Security Agency (CISA) uses this description to explain what it means to Be Secure by Design: ‘Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption. Out-of-the-box, products should be secure with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost.’
To hold yourself accountable as an organization, you could consider signing the CISA Secure by Design Pledge. ‘This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS).’ It has a list of goals that organizations can pledge to work their way through over the next year, such as: CVEs: Goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.
To conclude, there are no one-size-fits-all for companies when you are discussing cybersecurity and in particular secure by design products or services. You can consider your own framework as mentioned above, or start to implement additional tools to further augment and improve what you are already doing. As long as you are focusing on software security from the inception and not after a product is live, your processes and mitigations will make you stronger with these crucial steps to shift left.
