Agile Application Security: Enabling Security in a Continuous Delivery Pipeline by Bell Laura & Brunton-Spall Michael & Smith Rich & Bird Jim
Author:Bell, Laura & Brunton-Spall, Michael & Smith, Rich & Bird, Jim [Bell, Laura]
Language: eng
Format: azw3
Publisher: O'Reilly Media
Published: 2017-09-08T04:00:00+00:00
If You Got Bugs, You’ll Get Pwned
We know that there is a strong connection between code quality and security. The more bugs you have, the more security problems you will have.
Research has found that up to half of software security vulnerabilities are caused by simple coding mistakes. Not design oversights or misunderstanding security black magic. Just silly, sloppy things like copy-and-paste or merge errors, not checking input parameters, bad — or no — error handling, brackets in the wrong spot.
Carnegie Mellon’s Software Engineering Institute has found that between 1% and 5% of all software defects are security vulnerabilities.1 This means that you can get a good idea of how secure your application is, based on how many bugs there are in your code.
Given that most software has somewhere between 15 and 50 bugs in every 1,000 lines of code (this is even after the code has been reviewed and tested), a small mobile application or web application with, say, 50,000 lines of code could easily have over 100 vulnerabilities.2 Remember that almost all modern applications contain a lot of open source code, so even if you are doing everything right when it comes to writing secure code, you can’t be sure that all the open source contributors were as careful, so you should lean toward an even higher number of vulnerabilities. Software quality problems — and security risk — increase significantly with the size of the code base. Large systems have much higher defect densities, which means these systems are increasingly more vulnerable.
Many high-profile security vulnerabilities, including Heartbleed and the Apple “goto fail” (EX1-A) SSL bugs, were caused by coding mistakes that could have and should have been caught in code reviews or through disciplined unit testing. No security wizardry required. Just solid defensive coding and close attention to testing.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Deep Learning with Python by François Chollet(12570)
Hello! Python by Anthony Briggs(9915)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9796)
The Mikado Method by Ola Ellnestam Daniel Brolund(9778)
Dependency Injection in .NET by Mark Seemann(9339)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(8297)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(7763)
Grails in Action by Glen Smith Peter Ledbrook(7696)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7557)
Becoming a Dynamics 365 Finance and Supply Chain Solution Architect by Brent Dawson(7073)
Microservices with Go by Alexander Shuiskov(6839)
Practical Design Patterns for Java Developers by Miroslav Wengner(6760)
Test Automation Engineering Handbook by Manikandan Sambamurthy(6700)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(6413)
Angular Projects - Third Edition by Aristeidis Bampakos(6104)
The Art of Crafting User Stories by The Art of Crafting User Stories(5633)
NetSuite for Consultants - Second Edition by Peter Ries(5567)
Demystifying Cryptography with OpenSSL 3.0 by Alexei Khlebnikov(5373)
Kotlin in Action by Dmitry Jemerov(5062)
