Skip to content

3 Critical Things You Can Do During A Code Freeze With Contrast

    
3 Critical Things You Can Do During A Code Freeze With Contrast

international-morse-code_l

It's fast approaching the time of year when retail stores initiate a code freeze in advance of the holiday season. The last thing any developer wants is for their code to be hacked during the craziness that has become the holiday shopping season. Making a mistake during Black Friday or Cyber Monday could cost millions to your retail operations and send your sought-after customers running toward the competition. Not a good start to the holiday shopping season.

Why Initiate a Code Freeze

To ensure a safe season, many businesses initiate a code freeze where all major changes to applications and websites are essentially frozen. During the software development life cycle you move naturally through different phases.When one ends the next one begins. As an application industry we've learned that when deadlines are looming and people are rushing, mistakes get made.Trying to rush last-minute code into a package is a recipe for mistakes.

Normally done 30 days before the Thanksgiving weekend, a code freeze keeps development from going into production. Should an emergency pricing or product issue arise, you can upload quick patches to accommodate, but the vast majority of code remains frozen.

So What Do I Do With My Team During A Code Freeze?

During a code freeze, programmers and developers can do lots of things. Productive things. Like learning Morse Code. (OK, not really.) Code freezes do offer a time for programmers and developers to fine tune things they have put on the back burner. Contrast makes it easy to automate security tests, so here are three critical things you can work on with Contrast during a code freeze:

  1. Make sure you're getting great security testing coverage. Scanning tools don't actually test all of your application. In fact, their coverage is often well below 50%. Contrast shows you exactly what parts of your application have been tested and which haven't. It's easy to expand your coverage by browsing your application or writing Selenium style tests to exercise your application.  If it's not covered, it's not secure.

  2. Add custom rules to verify your custom access control mechanisms.  Access control is almost always a custom implementation created by your development team. This means that generic rules won't be able to identify missing or broken access control vulnerabilities. Contrast allows you to quickly specify how your authorization scheme is supposed to work. Then it will identify a vulnerability any time the code doesn't match your new rule.

  3. Stamp out some of those less-critical vulnerabilities.  Now might be a great time to go back and clean up all the medium and low vulnerabilities in Contrast. Things like cache-control headers, clickjacking protections, and so on.  You'll be glad you did.

If you haven't started with Contrast yet, a code freeze is a great time to give it a spin. You could take 8 minutes out of your day to watch how a continuously monitoring application security dashboard can change the way you think about security. 

 

Developing a robust application security program does not need to be a daunting task...

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program. 

continuous-application-security

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.