Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

Shipping your software – and doing it on time – may be your first priority as a developer. However, as your company shifts security left, you need to build it into your processes while still meeting estimated timelines. Now you need to manage cross-functional communications and respond to seemingly competing priorities. You’re trying to debug the software and remediate the vulnerabilities that the security team found. 

With the OWASP Testing Framework, you can build security into your application development workflows, making it easier to meet deadlines. 

What is the OWASP Testing Framework?

Developed by the Open Web Application Security Project (OWASP), the OWASP Testing Framework suggests activities that development and AppSec teams can implement at various stages of the software development lifecycle (SDLC) to improve security and reduce costs. Intended to fit into any development methodology, the Testing Framework acts as a generic development model by proposing across five SDLC states:

  • Before development
  • Definition and design
  • Development
  • Deployment
  • Maintenance

Phase 1: Before Development

Waiting to do security testing until right before you push the application to production ultimately increases all your costs. Before outlining software requirements, you should consider where testing fits into your workflows. 

As part of defining where security sits in your SDLC, you should also:

  • Review policies and standards: Know the documentation you need, and document how people should respond to common issues.
  • Develop measurement and metrics: Define criteria to measure to ensure that you capture the data during the development process

Phase 2: Definition and Design

When building the requirements list, you’re used to thinking about who uses an application and how they use it. Today, the who and how overlap with the application’s security. For example, a non-technical user may not think to use multi-factor authentication. OWASP suggests identifying the following security mechanisms:

  • User management
  • Authentication
  • Authorization
  • Data confidentiality
  • Integrity
  • Accountability
  • Session management
  • Transport security
  • Tiered system segregation
  • Legislative and standards compliance (including privacy, government, and industry standards)

Additionally, you should incorporate security testing into the following:

  • Review design and architecture: Test models, textual documents, or other artifacts to save time and money by identifying security issues so you can make changes before development starts. 
  • Create and review Unified Modeling Language (UML) models: Review how the application should work to determine whether the system architect needs to address weaknesses or look for alternative approaches. 
  • Create and review threat models: Develop realistic threat scenarios so the organizations can analyze whether to mitigate, accept, or transfer responsibility. 

Phase 3: Development

In the definition and design phase, you’re building the map for how to develop the application. Just like taking a trip, you input the expected start and endpoints. However, as you code the application, you’ll likely need to make smaller decisions, much like taking a detour when you get stuck in unexpected traffic. 

During the development phase, OWASP suggests:

  • Performing code walkthroughs: Take a high-level look at the code with the security team so that you can explain the decisions made around logic and data flow.
  • Doing code reviews: Testing code for actual security defects

At a minimum, you should engage in a static code review that validates the code against checklists for issues with:

  • Availability, confidentiality, and integrity
  • Technical exposures aligned to OWASP Guide or Top Ten Checklists
  • Programming language or framework 
  • Industry-specific compliance requirements

To gain a comprehensive picture of your application’s security during the development process, you can automate secure code reviews for real-time review with the following:

  • Software composition analysis: identifying open-source software components to track potential vulnerabilities
  • Static application software testing (SAST): reviewing source code to identify vulnerabilities
  • Dynamic application software testing (DAST): testing against the business logic to identify ways attackers can exploit vulnerabilities

By building these tools into your development processes, you reduce the amount of time it takes to build secure code. For example, when you combine SCA, SAST, and DAST for a comprehensive, real-time code review, you gain visibility and insights into:

  • Risky components
  • Vulnerabilities in code
  • Whether attackers can use either the components or vulnerabilities during an attack

When you focus on remediating the vulnerabilities that attackers can actually use, you reduce the amount of time and work that securing your application takes. 

Phase 4: Deployment

Before the deployment phase, you should try to eliminate as many security issues as possible to reduce both costs and potential customer impact. 

OWASP explains that during this phase, your security testing should include the following:

  • Penetration testing: Actively looking for new vulnerabilities and ways to compromise the application. 
  • Configuration management testing: Examining the infrastructure’s security, including changing default settings

If you engage in comprehensive secure code testing during the development phase, then the penetration testing and issue remediation costs will be lower during the deployment phase. Further, when you get a clean bill of technical health from the penetration testers, your customers have greater confidence in your product. 

Phase 5: Maintenance and Operations

After deployment, you should have plans for monitoring the application’s security so that you can push updates before attackers exploit previously unknown vulnerabilities. 

At this point, you should consider:

  • Operational management reviews: Process for managing application and infrastructure
  • Periodic health checks: Regular reviews to ensure security level remains intact
  • Change verification: Reviewing changes made in the testing environment and deployed to production to ensure they don’t impact security 

Qwiet AI: Noise reduction for securing code during development

Qwiet AI’s platform enables developers to get the security insights they need without undermining their delivery times. Our Code Property Graph (CPG) gives you the combined visibility that you normally need separate SCA, Container Scanning, and SAST tools to achieve. With Qwiet AI’s Blacklight, you can use the first threat intelligence feed designed for application development to reduce the number of remediation activities by incorporating attacker behaviors into your analysis. 

Try Qwiet AI’s preZero platform for free to see how it enables you to implement the OWASP Testing Framework. 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

Cybersecurity
January 16, 2025 4 min to read

Unpacking the New White House Cybersecurity Executive Ord...

by Chris Hatter

The latest executive order on cybersecurity issued today, Jan 16 2024, covers a lot of ground across multiple cybersecurity domains, from software security to post-quantum cryptography. The White House is sending a clear message to both the public and private sectors that the threats from foreign adversaries are more dire than ever. It comes at […]

READ MORE
Cybersecurity
May 29, 2024 3 min to read

GitHub Copilot & Advanced Security : The Fox Guardin...

by Team Qwiet

GitHub Copilot, the AI-powered coding assistant, has emerged as a game-changer in the software development landscape. By harnessing the power of generative AI, Copilot promises to accelerate coding tasks, boost developer productivity, and even democratize coding by making it more accessible to newcomers. However, as with any transformative technology, there are caveats. In Copilot’s case, […]

READ MORE
AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE

Read Next

Cybersecurity
November 11, 2021 5 min to read

Does Your Health App Meet HIPAA Compliance Requirements?

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
June 22, 2022 3 min to read

The Progress We’ve Seen: 2022 AppSec Progress Report

In the age of digital transformation, every company has become a software company. And with software comes vulnerabilities and malicious attackers who will try to exploit them. These digital enterprises have been seeking a way to pre-empt, prevent, and defend themselves against these attacks–a way to shift security left. The concept and process of shifting […]

READ MORE
Cybersecurity
December 22, 2021 6 min to read

Looking back on the Log4j Weekend

By now you’ve probably already heard of the name “Log4j”. What happened Late November this year, a Chinese researcher named Chen Zhaojun privately disclosed to Log4j maintainers that version 2 of Log4j contains a critical vulnerability that allows unauthenticated remote code execution (RCE) in applications that utilize the library. On December 9th, the vulnerability was […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In