Controls for the achievement of Application Security in the continuous life cycle of Web applications Development

Given the choice, every organization would want secure Web sites and applications from the Web application development phase all the way through the life cycle of software development. But the reason is that a challenge to get? The answer is in the process (or lack thereof) that are in place.

While individual and ad hoc web application security assessments certainly will help improve the safety of such application or Web site, after everything is resolved, the changes in your applications and newfound vulnerabilities mean new security problems arise. So, unless you put in place security controls, and continuous quality assurance throughout the life cycle of software development, from early development through production of Web applications, you're never going to achieve high levels of ongoing security you need to keep systems safe from attack - and your costs associated with fixing security weaknesses continue to be high.

In the first two articles, we covered a lot of the essentials you need to know for conducting security assessments of web applications, and how to remedy the vulnerabilities those assessments. And, if your organization is like most, the first couple of Web application assessments were nightmares: reams of vulnerability low, medium and high were found and needed to be fixed by the development team of web applications. The process requires that decisions be made on how to solve difficult applications as quickly as possible without compromising the system into production, or unduly delaying scheduled application rollouts.

But these early assessments of web applications, while agonizing, provide excellent learning experiences to enhance development of the software life cycle. This article shows how to put the organizational controls in place to make the process as painless as possible and part of your development efforts of web applications. This is a brief overview of the quality assurance processes and technologies needed to start developing applications in the safest way possible, from the beginning, and keep them that way. No bigger surprise. No more delayed deployments.

Secure Web Application Development: people, processes and technology

Creating highly secure applications begins early in the life cycle of software development with developers. That's why instill knowledge of security applications through training development of Web applications is one of the first things you want to do. Not only wishes that developers armed with the latest knowledge on how to code securely - and how attackers exploit weaknesses - but I want them to know how important (and much more efficient) is to consider security from the outset. This awareness building should not end with the development team of web applications. It needs to include all those who played a role in the life cycle of software development: quality and testing team of insurance, who need to know how to correctly identify potential security flaws and IT management team, who need understand how to invest organizational resources more effectively to develop security applications, and how to properly evaluate such essential technologies such as scanners, Web application firewall for Web application security, and quality assurance tools.

By building awareness throughout the life cycle development of Web applications, is building one of the most central controls necessary to ensure the security of web applications. And while training is essential, you can not rely on it to ensure that systems are built safely. That's why training must be reinforced with additional controls and technology. You must begin to implement the elements of a secure software development lifecycle, or SDLC.

Essential elements of safe processes of software development life cycle

A secure development life cycle of software is to have policies and procedures in place to consider - and enforce safe - Web application development from conception, through the definition of functional and technical requirements, design, coding, quality tests , and while the application lives in production. Developers must be trained to incorporate security best practices and checklists in their work: They checked their filters to query the database, or validated proper input handling? And 'the application being developed to be compatible with international best practice programming? The application to comply with regulations such as HIPAA and PCI DSS? Putting these types of procedures in place drastically improve safety during the process of developing web applications. Having developers to control the inputs in the field and look for common programming errors, such as the application is written also make future application assessments flow much more smoothly.

While developers need to test and evaluate the security of their applications as they are being developed, the next important test of the life processes of software development comes after the development cycle of Web applications has been completed. This is when the entire application, or module, is ready to be sent to the formal testing will be conducted by evaluators quality and safety. E 'during this phase of the life cycle of software development that testers of quality assurance, in addition to their typical duties to render performance or functional requirements are met, to search for potential security problems.

Companies make the mistake, at this stage, not to include members of the IT security team in this process. And 'We believe that IT security should have input throughout the life cycle of software development, for fear that a security problem in the area following the process of Web application development - and what could be a small problem is now a big problem.

Putting these types of processes in place is a tough job, and it may seem expensive at first. But the truth is that the payoff can be huge: your applications will be safer and your future security assessments will not feel like fire drills. There are models of software development lifecycle and methodologies that could help direct you, such as Application Security Assurance Program (ASAP), which raises a number of guiding principles in place necessary to build the security code, including the commitment Executive, considering security from the beginning of Web application development, and adoption of metrics to measure the coding and process improvements over time. A good introduction is The Security Development Lifecycle by Michael Howard and Steve Lipner (Microsoft Press, 2006).

As technology allows you to implement and maintain a secure SDLC

Human nature is what it is, people tend to slip back into their old habits, slovenly if new behaviors (the software development process life cycle that we discussed earlier) are not applied. And it is here that technology can play a role. The right tools not only help automate the evaluation of security and secure coding process, but can also help keep in place the framework for developing Web applications necessary for success.

As discussed in the first article of this series, at a minimum you will need a Web application security scanner to assess your custom-built your business as well as purchased software. Depending on the size of your team of Web application development, and how many applications you are working at any given time, you should consider other tools to improve your processes of software development life cycle as well. For example, tools, quality and warranty are available that integrate directly into application performance and quality testing programs that many companies already use, such as IBM and HP. With this integration of security in the quality and performance testing, quality assurance teams can handle simultaneously functional and security from a single platform.

Set baselines in Place (Keep it Simple But in the early days)

Now that security training is in place, and you have consistent and reliable methodology for developing Web applications with the assessment tools and development is needed, is a good time to start measuring your progress.

At first, all these changes the processes of software development life cycle will feel disruptive and time consuming. Thus, executives and managers, and Web application development team and auditors, are certainly going to want to see results from all the new work you have put in place. Everyone will want parameters and baselines: are our applications more secure? They are the developers better encoding? The only way to answer these questions is to start measuring progress. But, at the beginning, do not fall into the trap of measuring too.

In the early days of releasing the software development life cycle processes in place, we strongly advise you to keep the measures simple. Do not get overwhelmed with tracking too many types of vulnerability. In fact, you probably do not want to track and off groped each class of vulnerability at once. We have seen this mistake made many times, companies seek to correct the vulnerabilities discovered in every part of the life cycle of software development in a big bang. Then, at the end of one year, ending with a dozen applications completely vulnerable and without a penny in place to fix everything that needs to be solved. They end up scrambling, discouraged, and nowhere. This is not the way to do it.

That's why, at the beginning, we learned that a sensible - and achievable - to ensure the Web application development process is to decide which are the most common and serious vulnerabilities. If you include SQL Injection or logic errors can provide unauthorized access to an application, then this is your initial goal. Choose the most critical vulnerabilities that will make significant differences, according to the assessment and the nature of systems and enterprises. Those are your vulnerabilities before you want to track during their march to extinction (at least from the applications).

Once the Web application development team is used to the process of fixing some classes of vulnerabilities, you can add more urgency to the next class (or two) to the mix of vulnerability. Slowing the addition of new classes of vulnerabilities in your formal processes of software development life cycle, you will have the opportunity to iron out any problems or bottlenecks in the process. And your team develop Web applications grow increasingly accustomed to the process. There will be big hits, and over months and years, you will see marked improvement on your first baselines.

Putting in place key controls and technologies described in this article, you are now on the road for the development of Web applications it is always safe. Your reward will be a process of software development life cycle that runs much more smoothly and cost effectively, you have caught the problems early in the development process, so that regulatory audits will be more fluid. And we have greatly reduced the chances of a successful attack against your website.