What is the best way to make sure a software product is secure?
The easiest way is to roll out to the market and see what is going to happen and hope everything does well…no kidding, that is what most software developers do!
Let’s forget about what majority of software community do and see what are other ways:
1- penetration testing: for decades this was the best resort. If you are a software developer and you test your software then you are good. Of course, and I do not want to get into the type and quality and result of multiple ways of penetration testing and even talk about how business on relying on tools which are natively incapable of finding security flaws…I have been doing pen-test for more than 2 decades and never used a particular ‘tool’ out of the box for that purpose.
But regardless of what is right and what is wrong in terms of penetration testing, introducing a software to this stage before or even after market presence is smart, but it is so expensive also: developer needs to test every time software changes, technically with each new version and of course they can normalize based on changes.
2- secure code review: when 2 decades ago I suggested to one of my clients to migrate to a system of constant check and verification “before” even compiling the software, they though I am that much crazy to ignore great money paid for penetration testing but I just wanted to make sure a software that I am putting my verification stamp on it has the better, easier, faster and cheaper way I finding security flaws and is more reliable, more control and in one sentence, has the right way of finding and mitigating security flaws.
Penetration testing is so good but it is after the fact. I have seen many software products where fixing discovered vulnerabilities takes a long time, expensive and in many situations even impossible to fix so then why not finding those flaws before final stages of development or even rolling out to market?
When to do secure code review?
- When compliance is a factor
- When the budget and other resources are limited
- When dealing with time-sensitive software projects
- When releasing hundreds of new versions annually
When to do penetration testing?
- When testing only Software is not an option and System and/or Process are targeted
- When Settings, Configurations and Workflows are important
Does any of them dilute another? In other words, can I skip secure code review just because I will have a comprehensive penetration testing or vice versa?
No! Skipping any of them means skipping any of important phases of a software and corrupting a SDLC.