Q

Security tools and application lifecycle management

Security and security tools have become more necessary to the application lifecycle, according to recent research. In this response, expert John Overbaugh discusses why security tools are essential to ALM and explains how he sees security activities expanding in the future.

Are security tools considered to be a part of application lifecycle management (ALM)?

Security tools are absolutely a core component of application lifecycle management. As the security industry has developed over the years, research has shown security activities are necessary throughout the entire application lifecycle. Numerous commercial ALM products have begun to include security functionality. What’s more, many ALM products include security activities in lifecycle management functionality.

To understand more about this, it’s important to recognize the importance of security at each phase of the development lifecycle. During requirements gathering, security requirements must be considered (in fact, privacy requirements are also an important consideration during this stage). Some lifecycles lump security-related requirements into functional or technical requirements, whereas other lifecycles categorize them apart in order to add emphasis to their importance. Regardless of which categorization method a team uses, accounting for security is critical in the requirements stage. Good ALM applications help teams gather these requirements in the planning or design phase of a project.

As the project transitions to the design phase, additional security activities are required. Threat modeling is probably the best-known example of these activities. By modeling threats within application design, product teams can uncover flaws and poorly designed features. They can also identify high-risk areas which will need additional attention during the implementation and testing phases. All of this information creates project output – documentation, implementation tasks, and test cases. In some instances (especially where HIPAA or PCI are a concern) this documentation is required for compliance purposes.

When projects enter the implementation phase, tools become critically important. Static code analysis tools are useful in automating some of the security burden; these tools often come from commercial ALM vendors and can, at times, be integrated into the ALM suite. As the project transitions to the testing phase, test cases are executed which were developed during requirements, design, and implementation phases. Automated security testing tools such as application scanning technologies can aid the team in assessing application security and gathering results. Output from tests can be tied back into requirements, tasks, and test cases. The ALM application helps teams by providing a centralized repository which accounts for all activities within the implementation and testing phases.

As security becomes more mainstream and is seen less as a parallel activity and more as a core practice in the application lifecycle, ALM vendors will include more and more related functionality in their existing product offerings. Teams and customers alike will benefit because security will be seen as an equal partner to other ALM activities such as functional testing or performance testing. Planning, executing and reporting on security-related activities and requirements will become a seamless component of the overall application lifecycle.

This was first published in September 2011

Dig deeper on Software Security Testing Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close