Application Security
Securing applications is a critical responsibility of the CUIT CISO Office. Application Security (AppSec) involves a combination of People, Processes, and Tools to ensure the security and reliability of Custom Applications. AppSec includes training on secure coding practices, developing secure application development programs, source code scanning, and thorough testing to identify code vulnerabilities and comply with CUIT IT policies and standards.
- Established Scanning and Remediation
- Code Scanning: Scan performed during code commit, build, and deployment to detect vulnerabilities.
AppSec works with development teams to resolve vulnerabilities
Key Scanning Techniques
- SAST (Static Application Security Testing): Analyzes source code to identify vulnerabilities early in development.
- SCA (Software Composition Analysis): Manages open-source components, detects outdated libraries, and ensures compliance.
- DAST (Dynamic Application Security Testing): Tests running applications for runtime vulnerabilities like authentication flaws.
- API Security: Evaluates APIs for issues like improper authentication and data exposure.
- Container Security: Analyzes containerized applications to identify vulnerabilities in images and configurations.
CloudDefense
To strengthen our application security practices, we have acquired CloudDefense, a powerful tool for comprehensive security assessments. CloudDefense seamlessly integrates with the SDLC, offering advanced scanning capabilities across multiple domains:
- SAST: Detects security flaws during coding and build phases.
- SCA: Ensures third-party components are secure and compliant.
- DAST: Identifies runtime vulnerabilities in live applications.
- API Security: Secures API endpoints by identifying misconfigurations.
- Container Scanning: Evaluates container images and configurations for risks.
If any CU Department is interested in using CloudDefense, please contact [email protected]