Static Application Testing Code Review
Although security was once an afterthought in software development, it must now be considered throughout the entire software development lifecycle (SDLC). The life cycle divided into three separate phases: design, development and verification, and production.
Securing your system requires different approaches and tools as a function of your phase in the lifecycle. During the design phase, you rely on good, secure design processes and reviews (and possibly some formal methods such as specification or modeling languages). In the development and verification phase, you have code that you can touch and test as well as perfect for automated review and inspection while under execution. In production, you can inspect the application under execution. Automated reviews and inspecting applications under execution go by special names—static analysis and dynamic analysis.
Static analysis is the examination of source code (or object code after compilation). Using a variety of methods such as data-flow analysis, static analysis tools can uncover issues such as memory leaks, buffer overflows, and even concurrency issues. Static analysis works by scanning one or more source files and creating a representation of the scanned source to analyze it.
Dynamic Applications Testing
Dynamic application security testing technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state.
Dynamic analysis is the examination of a program during runtime. Like static analysis, the dynamic analysis uses a number of techniques as a function of the data to be extracted. You can use dynamic analysis to identify code coverage (or the paths taken in a given application). This is useful because paths not taken in an application are likely untested and contain bugs or exploits.
Web Application Firewall (WAF)
A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.
While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.
WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
Data Activity Monitor prevents unauthorized data access, alerts on changes or leaks to help ensure data integrity, automates compliance controls and protects against internal and external threats. Continuous monitoring and real-time security policies protect data across the enterprise, without changes or performance impact to data sources or applications. Data Activity Monitor protects data wherever it resides and centralizes risk controls and analytics with a scalable architecture that provides 100% visibility on data activity. It supports the broadest set of data source types, and it is the market leader for big data security solutions.
Data Encryption provides encryption capabilities to help you safeguard on-premises structured and unstructured data and comply with industry and regulatory requirements. This software performs encryption and decryption operations with minimal performance impact and requires no changes to databases, applications or networks.