Ferruh Mavituna, Founder and CEO of Netsparker, was interviewed by Paul Asadoorian and host Larry Pesce for Paul's Security Weekly #557, with Jeff Man joining them via Skype. They talked about the role of dynamic web application testing (DAST) within the Software Development Life Cycle (SDLC).
- After explaining what the SDLC is, Ferruh noted the positive trend to bring security into the cycle at the development stage ('SecDevOps') so that secure coding is implanted deep and early in the development process. In DevOps, it is important to have a short and continuous feedback loop to support all the release cycles. Ferruh proposed that when developers write vulnerable code, they can be informed the same day, even within minutes, if the scans are fast enough.
- They discussed other reasons why it is valuable to bring security considerations in as early into the software development cycle as possible. Finding security issues and vulnerabilities early in the process is less expensive. There is a shorter time lag between when the code is written and when it is fixed, so it's still fresh in the developer's mind. And developers can learn from the start how to write more secure code.
- They considered the challenges of implementing DAST/SAST in organization. Part of the problem lies in the perception that dynamic testing (accuracy) produces false positives, while static testing has potential impacts on performance (speed). Netsparker solves both problems by providing dynamic testing that delivers proof-based vulnerability detection, while allowing for incremental scanning, so that, after the initial scan, subsequent scans are much shorter.
- Everyone agreed that Integrating DAST into the SDLC is the best possible solution because the SDLC is the right place to tackle the problem. There is a lack of equivalence between the size of application security teams on one hand, and the number and size of the applications, websites and enterprises security needs on the other. An automatic web scanner a requirement to keep pace with the speed and volume of development.
- Ferruh concluded by mentioning the integration focus of Netsparker. You can easily integrate and automate Netsparker into your existing SDLC, even during the early stages of development. And, you can integrate Netsparker with other security tools in the SDLC. Ferruh singled out the work Netsparker has done recently to ensure the ease of integration with the Jenkins and TeamCity plugins.