Ch08
.ppt
School
University of Alabama**We aren't endorsed by this school
Course
NSE 12
Subject
Information Systems
Date
Jan 1, 2025
Pages
38
Uploaded by sanoman290972
Secure Software Development: A Security Programmer’s Guide Chapter 8Development Tools: Choose Wisely
Secure Software Development: A Security Programmer’s Guide, First Edition2Objectives•Understand the use of development tools in the industry•Understand the use of development tools in the organization•Understand the use of development tools in the cube•Know how to maintain your toolbox
Secure Software Development: A Security Programmer’s Guide, First Edition3The Use of Development Tools in the Industry •A development tool is any hardware or software device that is used to create a software program•The industry is creating integrated tools that can seamlessly cross over multi-language programs, allowing the developer to compile, debug, and run any project anywhere•Overall, the goals of the industry in issuing tools are as follows:–Providing total automation–Making the development process dependable and trustworthy–Keeping development costs down
Secure Software Development: A Security Programmer’s Guide, First Edition4The Use of Development Tools in the Industry (continued)•Total Automation–Automation produces consistency–Taking a repetitive task that a developer has to perform and automating that task with the precision and speed of another piece of software (tool)–All tasks are:•Complete•Accurate•Efficient•Eliminating human error
Secure Software Development: A Security Programmer’s Guide, First Edition5The Use of Development Tools in the Industry (continued)•Dependable Process–The software development process becomes more dependable when developers’ tasks move toward tested automation–Absolute dependability and trustworthiness, while desirable in theory, often are impossible to obtain in reality•Strive for increasing dependability and trustworthiness as much as is practically possible with tool automation
Secure Software Development: A Security Programmer’s Guide, First Edition6The Use of Development Tools in the Industry (continued)•Keeping Development Costs Down –Many developers shy away from learning how to use new tools because:–Afraid that the time invested on the front end will not pay off on the back end–Not convinced that the tools, after being integrated into the development process, will pay dividends
Secure Software Development: A Security Programmer’s Guide, First Edition7The Use of Development Tools in the Industry (continued)•Keeping Development Costs Down (continued) –The use of common tools often does save money— consistently so—due to the achievement of the following:•Sharing of similar designs and tasks•Dispersing of knowledge•Sharing of the talent pool
Secure Software Development: A Security Programmer’s Guide, First Edition8The Use of Development Tools in the Industry (continued)•Keeping Development Costs Down (continued)•Sharing of similar designs and tasks–One big cost savings that stems from relying on tools for total automation is the reusability–Typically, developers on one project do not interact with developers on another; for whatever reason, the tools and configuration used are hidden from other teams–Large companies often have hundreds of projects and separate applications being worked on by different teams and it is possible to share similar designs and tasks throughout multiple projects
Secure Software Development: A Security Programmer’s Guide, First Edition9The Use of Development Tools in the Industry (continued)•Keeping Development Costs Down (continued)•Dispersing of knowledge–A development process that relies on tool automation for code development and deployment isn’t jeopardized because of the loss of key individuals–Using tools instead of the heroics of talented individuals enables other developers to strengthen their skills and knowledge of the system as well, making the team strong as a whole
Secure Software Development: A Security Programmer’s Guide, First Edition10The Use of Development Tools in the Industry (continued)•Keeping Development Costs Down (continued)•Sharing of the talent pool–In addition to applications sharing the same tools and tasks, they can also share the same human resources–If the development tools are the same and all the applications in the company are coded and designed in a similar fashion, the developers can go from one project to another with no problem
Secure Software Development: A Security Programmer’s Guide, First Edition11The Use of Development Tools in the Organization •Choosing tools for software development cannot be done by the development team alone•Organizations are always on the lookout for newer techniques and tools that make their current processes more efficient•Tool recommendations by the developers and tool selections by the overall development team are based on certain criteria and rationales gathered from an evaluation process:–Understanding the company’s infrastructure and constraints–Evaluating only industry-standard tools
Secure Software Development: A Security Programmer’s Guide, First Edition12The Use of Development Tools in the Organization (continued)•Company Infrastructure and Constraints–What software and/or licenses are available to the development team is largely determined by the types of servers, operating systems, and support the company has•Platforms–J2EE–.NET–Mainframe–Embedded
Secure Software Development: A Security Programmer’s Guide, First Edition13The Use of Development Tools in the Organization (continued)•Company Infrastructure and Constraints (continued)–Working within and Outside of Comfort Zones•Because of the complexity of modern applications, it is extremely important that each developer on the same project use the exact same tool as his or her colleagues–Most programmers tend to favor one construction tool over another because that’s all they know•Code that is developed by one tool does not necessarily integrate well with other tools
Secure Software Development: A Security Programmer’s Guide, First Edition14The Use of Development Tools in the Organization (continued)–Having all developers on the team use the same tool is important for the following reasons:•Help factor: If one person has a problem trying to get a tool to automate a feature such as turning off debugs, it can be hard for the other programmers to help because they might not be familiar with that tool or because that tool doesn’t have the automated capability that the other tools do•Integration factor: Developers do not have that much time to read through one another’s code statements; the code needs to read the same so that their eyes can be trained to look in the same areas for certain specifics•Configuration factor: All tools need to be configured to work with one another; if the tool set is differently, configurations might or might not work•Code maintenance: Code becomes easier to maintain because of the common look and feel•Same code translation: Code is compiled from the same version of compilers
Secure Software Development: A Security Programmer’s Guide, First Edition15The Use of Development Tools in the Organization (continued)–Open Source versus Proprietary•Proprietary tools charge a fee for license(s), either per seat or per server, and they are owned by the company that issues the tools•Open source tools are free to use in accordance with the open source license agreement, typically the General Public License, and are owned by the originating author* Avoid having licensed tools issued to the names of individuals on the team
Secure Software Development: A Security Programmer’s Guide, First Edition16The Use of Development Tools in the Organization (continued)–Evaluating and Using Industry Standard Tools•Evaluate only those development tools that are industry accepted and widely used in various software projects–These tools are usually very well documented and tested–Easier to get support or to find working examples on how to do something–When the need arises to hire additional team members, finding programmers with industry-standard tool experience is easier
Secure Software Development: A Security Programmer’s Guide, First Edition17The Use of Development Tools in the Organization (continued)–Tools should be evaluated on the following criteria:•Does the tool satisfy the need?•Does the tool help find security vulnerabilities?•Is the tool readily available?•Is the tool easy to use?•Does the tool integrate with other technologies and tools that are currently used on the project?•Does the tool have visibility and reporting features?
Secure Software Development: A Security Programmer’s Guide, First Edition18The Use of Development Tools in the Organization (continued)–Does the tool satisfy the need?•First and foremost, the tool selected needs to satisfy the need•All tools will come with a trial version; take the time to download, configure, and use it–Does the tool help find security vulnerabilities?•Security tools scan binary code for common vulnerability traits found in modern software•Security tools act a lot like antivirus software tools that scan computer files•The human eye and brain cannot compete against the accuracy and precision of these types of tools
Secure Software Development: A Security Programmer’s Guide, First Edition19The Use of Development Tools in the Organization (continued)–Is the tool readily available?•From time to time, there is a need to reinstall all of your tools and reconfigure the developer’s box•Tools need to be readily available when your PC gets blown away–Is the tool easy to use?•It is hard to find the time for learning how to use the newest tools•Tools you select should be user friendly and simple to figure out
Secure Software Development: A Security Programmer’s Guide, First Edition20The Use of Development Tools in the Organization (continued)–Does the tool integrate with other technologies and tools that are currently used on the project?•Software applications require an army of tools to help keep things running smoothly•Make sure tools work with current software configuration•Open source tools have been moving in this area for quite some time•Proprietary tools, on the other hand, tend to integrate well only with other tools in their family (i.e., IBM, Microsoft)
Secure Software Development: A Security Programmer’s Guide, First Edition21The Use of Development Tools in the Organization (continued)–Does the tool have visibility and reporting features?•Management needs to quantify the spending versus improvements•Tools that you select should come with a “workbench” feature•Management likes to see improvements in the form of graphs, charts, or percentages•Tools should report progress and information to the development team
Secure Software Development: A Security Programmer’s Guide, First Edition22The Use of Development Tools in the Cube–The right tool for the right job makes all the difference in the world–If you want to grow within the ranks of software development, you need to know how to master your tool types•Tools that assist in writing code•Tools that enhance quality•Tools that enhance security•Tools that assist with deployment
Secure Software Development: A Security Programmer’s Guide, First Edition23The Use of Development Tools in the Cube (continued)–Tools That Assist in Writing Code•Today’s code assistants are faster and much more accurate than old Notepad or VI editors•Code intelligence watches the syntax entered and tries to assist the developer by catching typos or broken If statements up front before the compile process•The most popular tools for code assistance are called integrated development environments (IDEs)
Secure Software Development: A Security Programmer’s Guide, First Edition24The Use of Development Tools in the Cube (continued)–Tools That Assist In Writing Code (continued)•Code editors: These are code assistants built in to the GUI that autofill method signatures, brackets, and key words•Compilers: These tools turn programming languages into machine code (binary) that the CPU can use•GUIs: These are sophisticated screens that allow click and drag, text box fill-ins, and other user-friendly features while building the code, XML files, or configuration files behind the scenes•Global Search Tools: These tools allow developers to search for all instances of keywords, object names, or methods
Secure Software Development: A Security Programmer’s Guide, First Edition25The Use of Development Tools in the Cube (continued)–Tools That Assist In Writing Code (continued)•Automated Refactoring Tools: These tools refactor code for the developers so that logic is broken up into smaller modules•Automated Debuggers: These packaged debug tools step through the code while executing– This tool allows developers to see how the code executes and what the values of each parameter and variable are during run time•Integrated Test Servers:These tools execute code either as stand-alone programs or on built-in application servers; the server tools emulate production servers so what happened on the developer’s machine (execution steps) will also happen on production machines
Secure Software Development: A Security Programmer’s Guide, First Edition26The Use of Development Tools in the Cube (continued)–Tools That Enhance Quality•Quality tools not only analyze application code for quality issues but also the resources the code uses•So many applications share the same resources; you, as the developer, have to consider whether your own actions will cause problems for everyone else–Heap Management:Nothing diminishes application performance like inefficient code–Profiling: Sometimes, the way developers think they coded the application isn’t always reflected in how the application runs
Secure Software Development: A Security Programmer’s Guide, First Edition27The Use of Development Tools in the Cube (continued)–Tools That Enhance Security•Today’s generation of security tools “can only tell you if you’re in deep trouble, not how secure the application is” (McGraw 2006, p. 23)•The use of security tools within the development process comes with a twofold benefit–It allows the programmers to eliminate all the susceptible code that the tools found–It raises the awareness of potential security vulnerabilities
Secure Software Development: A Security Programmer’s Guide, First Edition28The Use of Development Tools in the Cube (continued)–Tools That Assist with Deployments•Deployment tools assist with the building and deploying of application code•They are essential to a secure development process because they automatically off-load the work of file transfers and the building of executables or JAR files without being tainted by non-tested software•Deployment tools include the following:–Code repositories–Code transportation
Secure Software Development: A Security Programmer’s Guide, First Edition29The Use of Development Tools in the Cube (continued)–Code Repositories•A code repository is used for code storage•Code repositories allow that programmer to check in the code from the workstation and into a centralized data house•Offers an opportunity to centralize the backups of source code and ensure that current backups of the entire repository are available for recovery in case of a failure–Code sharing: All other programmers have access to the latest and greatest without stepping on one another’s code– Versioning/baseline: Developers can manage which features go out in the next version– Centralizing storage: This allows the code to be deployed from one centralized place
Secure Software Development: A Security Programmer’s Guide, First Edition30The Use of Development Tools in the Cube (continued)–Build Management•ANT (Another NeatTool), located at http://ant.apache.org/, is an XML-based tool that calls out targets (or specific tasks) in a treelike structure•Developers use ANT version control tools when doing code deployments from one environment to another•ANT replaces all the manual tasks that developers do before deploying code–FTP (FileTransfer Protocol) code: Automatically FTPs code files from one machine to another–Get code: Automatically interfaces with version control software–Move code: Takes files or directories and moves them anywhere desirable–Message code: Changes parameters automatically–Compile code: Turns ASCII files into class files (binary)
Secure Software Development: A Security Programmer’s Guide, First Edition31Knowing How to Maintain Your Toolbox–After the construction tools have been selected, configured, and programmed to carry out tasks, they will become almost permanently embedded within the overall construction process for that project–The developers will establish such reliance on these tools•If they were to break or not work one day, the whole process of developing, testing, and deploying code might be jeopardized–The following are two ways to maintain your tools selection•Reevaluating what you have•The Application Guide
Secure Software Development: A Security Programmer’s Guide, First Edition32Knowing How to Maintain Your Toolbox (continued)–Reevaluating the Tools in Your Toolbox•Reevaluating and ultimately replacing existing tools isn’t as easy as it sounds•Diligent research and testing that needs to be conducted before placing a new tool into the current development toolbox•Tool reevaluation requires diligent impact analysis and coordinated efforts
Secure Software Development: A Security Programmer’s Guide, First Edition33Knowing How to Maintain Your Toolbox (continued)–When New Is Better•When new tools or upgraded versions hit the market, it usually means that there is a solution available that is better than the one you have now•New tools allow the developers to expand their horizons and take on different challenges•Generally, you will replace tools when:– Increased security is required– Support runs out– New requirements exist; the new tool offers features that do not exist in the old tool– Compatibility (with other upgrades) is required
Secure Software Development: A Security Programmer’s Guide, First Edition34Knowing How to Maintain Your Toolbox (continued)–When New Is Not Better•Every year, new tools and versions enter the market and older ones become obsolete or hard to find– New tools can also introduce new problems– Generally, you will not replace tools when:»You are simply enamored by the latest and greatest version of a selected tool on the market»Your existing tool isn’t broken; replacing tools and updating the Application Guide can be very time consuming»There is no plan to analyze and test the new tool for threats and or risks
Secure Software Development: A Security Programmer’s Guide, First Edition35Knowing How to Maintain Your Toolbox (continued)–The Application Guide Is Part of the Toolbox•As we have learned in previous chapters, the Application Guide is the one document that holds the process together•A big portion of the guide has to do with tools: which ones to use, how they are configured, and where they exist•The Application Guide is the configuration management document for the toolbox
Secure Software Development: A Security Programmer’s Guide, First Edition36Summary–Tools make the development process dependable and trustworthy through the use of automation after the tools are tested–Industry tools and their usage keep costs down–All organizations have specific policies and procedures on which tools are available–IT architecture is an important part of availability; the developers need to know what policies exist before they investigate which tools to use
Secure Software Development: A Security Programmer’s Guide, First Edition37Summary(continued)–Proprietary and open source tools both have advantages and disadvantages–Realize that proprietary tools come with loads of options and full-time support–Developers need tools that deal with quality and security–For code to be secure, it must first be of high quality and vice versa–There should be many tools in the developer’s toolbox that will assist in the development and deployment of code
Secure Software Development: A Security Programmer’s Guide, First Edition38Summary(continued)–When tools make it into the product mix of the development process, they become part of the rules and methods of that project–Every developer on the team should be using the same tools for the same reasons–Enforce this use in the Application Guide–Replace or upgrade tools only when necessary–Don’t use the latest and greatest just because it’s the latest release