Security is like any other development process: it's best to automate as much as you can. The most efficient approach to security is building security into every phase of the software development lifecycle (SDLC). We provide services that help our clients identify the critical points where security should be integrated in their SDLC and then automate the process so it becomes part of how they develop software.
Static security analysis is the process of using source code scanning products to automate the manual security code review process. Products, such as HP Fortify and IBM AppScan Source, search through your code to identify potential vulnerabilities. These tools provide developers and security testers line of code evidence showing where a vulnerability exists, why that vulnerability is important, and how to remediate the finding.
These tools are best used as part of the development process enabling developers to find issues early in the SDLC. We provide services to integrate these tools with common build systems, such as Apache Ant, Apache Jenkins, or Microsoft Team Foundation Server (TSF), to centralize the scanning process. We can also help with integrating these products with common bug tracking systems, such as Atlassian JIRA and Bugzilla.
Dynamic analysis of web applications is much different from source code analysis. Dynamic analyzers, such as HP WebInspect and IBM AppScan, simulate attacks against web applications and web services to identify vulnerabilities. These tools excel at showing you the "how".
Radix Security can help our clients automate these tools as part of the security process. After code is checked in and launched into a dev/test environment or production, a scan can be triggered. There are also many large companies and the Federal Government looking to implement a continous monitoring program from web applications. The idea behind continous monitoring is instead of scanning applications during the development process, scanning all web applications in production on a set frequency. Changes occur to application in production that can sidestep the security process, so this approach can be more accurate and timely. We can help customers identify their scanning needs and scale these products to scan large numbers of applications on any given frequency.
A new approach to application security is emerging called Realtime Application Self Protection (RASP) that focuses on augmenting running applications with the capability to increase security log collection and actively detect attacks. Most web applications do not provide robust security logging greatly hampering the ability to detect real time attacks and collect forensic data after an attack. These products, such as HP AppDefender, provide greater situational awareness for application and also provide the capability to stop active attacks. These products operate from within the application, so they are much more accurate than Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF). Radix Security can help organizations implement and scale these products to protect running applications.