Controls for Attaining Continuous Application Security in the Web Application Development Life Cycle

Given a choice, every organization would want secure Web sites and applications from the Web application development phase all the way through the software development life cycle. But why is that such a challenge to attain? The answer is in the processes (or lack thereof) that they have in place.

Controls for Attaining Continuous Application Security in the Web Application Development Life Cycle 1

While individual and ad hoc Web application security assessments certainly will help you improve the security of that application or Web site, soon after everything is remedied, changes in your applications and newfound vulnerabilities mean new security problems will arise. So, unless you put into place continuous security and quality assurance controls throughout the software development life cycle, from the initial phases of Web application development through production, you’re never going to reach the high levels of ongoing security you need to keep your systems safe from attack–and your costs associated with fixing security weaknesses will continue to be high.

In the first two articles, we covered many of the essentials you need to know when conducting Web application security assessments and how to remedy the vulnerabilities those assessments uncovered. And, if your organization is like most, the first couple of Web application assessments were nightmares: reams of the low, medium and high vulnerabilities were found and needed to be fixed by your web application development team. The process required that tough decisions be made on fixing the applications as quickly as possible without affecting systems in production or unduly delaying scheduled application rollouts.

But those first few web application assessments, while agonizing, provide excellent learning experiences for improving the software development life cycle. This article shows you how to put the organizational controls to make the process as painless as possible and an integrated part of your Web application development efforts. It’s a succinct overview of the quality assurance processes and technologies necessary to begin developing applications as securely as possible from the beginning and keeping them that way. No more big surprises. No more delayed deployments.

Secure Web Application Development: People, Process, and Technology

Building highly secure applications begins early in the software development life cycle with your developers. That’s why instilling application security awareness through Web application development training is one of the first things you want to do. You not only want your developers armed with the latest knowledge on how to code securely–and how attackers exploit weaknesses–but you want them to know how important (and much more efficient) it is to consider security from the start. This awareness-building shouldn’t end with your Web application development team. It needs to include everyone who plays a part in the software development life cycle: your quality and assurance testing teams, who need to know how to properly identify potential security defects, and your IT management team, who need to understand how to invest organizational resources most effectively to develop security applications, as well as how to successfully evaluate such essential technologies as Web application security scanners, Web application firewalls, and quality assurance toolsets.

By building awareness throughout the Web application development life cycle, you’re building one of the most central controls necessary to ensure the security of your Web applications. And while training is essential, you can’t depend on it to make certain that your systems are built securely. That’s why training needs to be reinforced with additional controls and technology. You need to begin to place the elements of a Secure Software Development Life Cycle, or SDLC.

Essential Elements of Secure Software Development Life Cycle Processes

A secure software development life cycle means having the policies and procedures in place that consider–and enforce–secure Web application development from conception through defining functional and technical requirements, design, coding, quality testing and while the application lives in production. Developers must be trained to incorporate security best practices and checklists in their work: Have they checked their database query filtering or validated proper input handling? Is the application being developed to be compliant with best programming practices? Will the application adhere to regulations, such as HIPAA or PCI DSS? Putting these types of procedures in place will dramatically improve security during the Web application development process. Having developers check field inputs and look for common programming mistakes as the application is being written also will make future application assessments flow much more smoothly.

More Articles :

While developers need to test and assess the security of their applications as they’re being developed, the next major test of the software development life cycle processes comes after the Web application development is completed. This is when the entire application, or a module, is ready to be sent to the formal testing phase conducted by quality assurance and security assessors. During this phase of the software development life cycle, quality assurance testers, in addition to their typical tasks of making sure performance and functional requirements are met, look for potential security problems.

Companies make a mistake during this phase of not including members of the IT security team. It’s our opinion that IT security should have input throughout the software development life cycle, lest a security issue surface later in the Web application development process–and what could have been a small problem is now a big problem.

Putting these types of processes in place is difficult to work and may seem onerous at first. But the truth is that the payoff can be huge: your applications will be more secure, and your future security assessments won’t feel like fire drills. In addition, there are software development life cycle models and methodologies that could help direct you, such as the Application Security Assurance Program (ASAP), which puts some guiding principles in place necessary for building secure code, including executive commitment, considering security from the beginning of Web application development, and the adoption of metrics to measure coding and process improvements over time. A good primer is The Security Development Lifecycle by Michael Howard and Steve Lipner (Microsoft Press, 2006).

How Technology Helps Enforce and Maintain the Secure SDLC

Human nature being what it is, people tend to slip back into their old sloppy ways if new behaviors (the software development life cycle processes we discussed earlier) are not enforced. That’s where technology can play a role. The right tools not only help to automate the security assessment and secure coding process; they also can help keep in place the Web application development framework necessary for success.

As discussed in the first article of this series, you’ll need a Web application security scanner to assess your custom-built as well as your commercially acquired software at the very minimum. Depending on the size of your Web application development team and how many applications you’re working on at any given time, you’ll want to consider other tools that will improve your software development life cycle processes as well. For instance, quality and assurance tools are available that integrate directly into application performance and quality testing programs that many organizations already use, such as those from IBM and HP. With this integration of security into the quality and performance testing, quality assurance teams can concurrently manage functional and security testing from a single platform.