Implementing Vulnerability Remediation Strategies Within the Web Application Development Lifecycle

Once you’ve completed a security assessment as a part of your web application development, it’s time to go down the path of remediating all of the security problems you uncovered. At this point, your developers, quality assurance testers, auditors, and your security managers should all be collaborating closely to incorporate security into the current processes of your software development lifecycle to eliminate application vulnerabilities. And with your Web application security assessment report in hand, you probably now have a long list of security issues that need to be addressed: low, medium, and high application vulnerabilities; configuration gaffes; and cases in which business logic errors create a security risk. For a detailed overview of how to conduct a Web application security assessment, look at the first article in this series, Web Application Vulnerability Assessment: Your First Step to a Highly Secure Web Site.

Application Lifecycle Management

First Up: Categorize and Prioritize Your Application Vulnerabilities

The first stage of the remediation process within web application development categorizes and prioritizes everything that needs to be fixed within your application or Web site. From a high level, there are two classes of application vulnerabilities: development errors and configuration errors. As the name says, web application development vulnerabilities arose through the application’s conceptualization and coding. These are issues residing within the actual code or workflow of the application that developers will have to address. Often, but not always, these types of errors can take more thought, time, and resources to remedy. Configuration errors require system settings to be changed, services to be shut off, and so forth. Depending on how your organization is structured, your developers may or may not handle these application vulnerabilities. Oftentimes they can be handled by application or infrastructure managers. In any event, configuration errors can, in many cases, be set straight swiftly.

At this point in the web application development and remediation process, it’s time to prioritize all of the technical and business-logic vulnerabilities uncovered in the assessment. In this straightforward process, you first list your most critical application vulnerabilities with the highest potential of negative impact on the most important systems to your organization and then list other application vulnerabilities in descending order based on risk and business impact.

Develop an Attainable Remediation Roadmap

Once application vulnerabilities have been categorized and prioritized, the next step in web application development is to estimate how long it will take to implement the fixes. If you’re not familiar with web application development and revision cycles, it’s a good idea to bring in your developers for this discussion. Don’t get too granular here. The idea is to get an idea of how long the process will take and get the remediation work underway based on the most time-consuming and critical application vulnerabilities. The time, or difficulty estimates, can be as simple as easy, medium, and hard. And remediation will begin with the application vulnerabilities that pose the greatest risk but those that will take the longest to time correct. For instance, get started on fixing complex application vulnerabilities that could take considerable time to fix first and wait to work on the half-dozen medium defects that can be rectified in an afternoon. By following this process during web application development, you won’t fall into the trap of having to extend the development time or delay an application rollout because it’s taken longer than expected to fix all of the security-related flaws.

This process also provides for excellent follow-up for auditors and developers during web application development: you now have an attainable road map to track. And this progression will reduce security holes while making sure development flows smoothly.

It’s worth pointing out that any business-logic problems identified during the assessment need to be carefully considered during the prioritization stage of web application development. Many times, because you’re dealing with logic – the way the application actually flows – you want to consider how these application vulnerabilities are to be resolved carefully. Unfortunately, what may seem like a simple fix can turn out to be quite complicated. So you’ll want to work closely with your developers, security teams, and consultants to develop the best business-logic error-correction routine possible and an accurate estimate of how long it will take to remedy.

In addition, prioritizing and categorizing application vulnerabilities for remediation is an area within web application development. Consultants can play a pivotal role in helping lead your organization down a successful path. Some businesses will find it more cost-effective to have a security consultant provide a few hours of advice on how to remedy application vulnerabilities; this advice often shaves hundreds of hours from the remediation process during web application development. More Articles :

More Articles :

One of the pitfalls you want to avoid when using consultants during web application development is failure to establish proper expectations. While many consultants will provide a list of application vulnerabilities that need to be fixed, they often neglect to provide the information that organizations need to remedy the problem. It’s important to establish the expectation with your experts, whether in-house or outsourced, to provide details on fixing security defects. The challenge, however, without the proper detail, education, and guidance, is that the developers who created the vulnerable code during the web application development cycle may not know how to fix the problem. That’s why having that application security consultant available to the developers, or one of your security team members, is critical to make sure they’re going down the right path. In this way, your web application development timelines are met, and security problems are fixed.

Testing and Validation: Independently Make Sure Application Vulnerabilities Have Been Fixed

When the next phase of the web application development lifecycle is reached, and previously identified application vulnerabilities have (hopefully) been mended by the developers, it’s time to verify the posture of the application with a reassessment or regression testing. For this assessment, the developers mustn’t be the only ones charged with assessing their own code. They already should have completed their verification. This point is worth raising because companies often make the mistake of allowing developers to test their own applications during the reassessment stage of the web application development lifecycle. And upon verification of progress, it is often found that the developers not only failed to fix flaws pegged for remediation, but they also have introduced additional application vulnerabilities and numerous other mistakes that needed to be fixed. That’s why it’s vital that an independent entity, whether an in-house team or an outsourced consultant, review the code to ensure everything has been done right.