A Practical Guide for Application Security Baselines in the Software Development Process

A Practical Guide for Application Security Baselines in the Software Development Process

연구 분야: Analysis

학회: Balkan Conference in Informatics

Through a systematic review of scientific literature, we summarize the most practical approaches for security in the application design phase. Incorporating threat modeling and secure design principles from the outset is critical to mitigating risks. Implementing secure coding guidelines helps avoid common software vulnerabilities, which means that software development teams should receive comprehensive training on secure coding techniques and integrate these practices into their workflows. In our paper we investigate practices, existing tools and literature and extract methodology to be adopted by the teams. One direction is by using IDE plugins - those can increase awareness by providing real-time feedback. Utilizing scores from tools such as Static Application Security Testing (SAST) and Software Composition Analysis (SCA) improves quality process and gives quantitative approach in decision-making during deployment, ensuring vulnerabilities are addressed early. Another direction of the research is embedding secure coding techniques in early software development lifecycle phases which helps to maintain agility in the process without affecting the release lifecycle. The third direction of research is applying the principles of separation of environments which ensure that development, testing, and production stages are isolated, reducing cross-environment contamination risks. On fourth place, we propose using the segregation of duties to further strengthen security by dividing responsibilities to prevent unauthorized access or changes. Security testing during the QA phase should include best and worst-case scenario automation, authorization matrix tests, and Dynamic Application Security Testing (DAST) to uncover potential weaknesses. Finally, assessing infrastructure vulnerability status, whether on a server or serverless level, ensures comprehensive security coverage. It is furthermore proposed to use regular external vulnerability scanning exercises which provide an additional layer of security by identifying potential threats that may have been overlooked internally. By integrating these practices, organizations can maintain a robust security posture while preserving the agility and efficiency of their development processes.