Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use.
This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmes are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010.
In this demonstration filled talk I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 60 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.
Agnitio v2.0 will be released during this talk which will see Agnitio’s already powerful feature set expanded to include more secure coding and security code review guidance, additional report types, developer and reviewer focused metrics and an automated source code analysis module.