Ballintrae regularly engage with clients who do a great deal of application development, whether it be by internal teams, offshore development partners or a combination of both. When we ask how their own internal code is secured throughout the Software Development LifeCylce (SDLC), a surprising number of clients simply rely on an external Penetration Test prior to going live.
In the competitive world of Financial Services and indeed any industry with an online presence, speed to market with improved functionality is vital in securing new and retaining existing customers. The challenge with a simple reliance on Penetration Tests is that any vulnerabilities found in the in-house application have to be remediated prior to 'Go Live', putting even more pressure on the development teams and risking any scheduled release date. For the larger application projects, development teams may well have to remediate vulnerabilities in their software from several months ago, with the associated challenges of remembering the business logic involved and hence how to fix the vulnerability without compromising the application functionality.
When Ballintrae engage with clients who develop their own software, we typically advise the adoption of a Secure SDLC process as global best practice. In this instance, Developer education is key to understand security vulnerabilities and their implications in the first instance but we firmly believe that the Developers themselves should be equipped with the security tools to correct their code as close to its creation as possible. Ballintrae have partnered with Checkmarx in this area, as their platform not only tells a Developer where they have coded a vulnerability in an application but where there are multiple vulnerabilities, the platform also informs the Developer of the optimal mitigation points, dramatically reducing development time spent on remediation. This results in significant Developer buy-in to Secure SDLC and also ensures that application delivery is fully secured and on-time when it comes to release into Production.
With such a simple way to secure the application that delivers vital services to end clients, Ballintrae believe that application security begins with the Developers themselves. If you'd like to know more about how we can assist you with Secure SDLC adoption, or Checkmarx's platform, then please Contact Us.