Web applications are in a constant state of change, and organizations need to implement an ongoing process for ensuring security and protecting critical assets and information.
With all of the ongoing updates to web application environments, the enterprise is faced with the constant challenge of ensuring the proper security posture to protect data from hacker attacks.
Infrastructure and web applications change frequently, and security policies must evolve in the same way. By implementing web application security as a change management best practice, organizations can proactively protect their resources from attack by economically motivated hackers, and they can document compliance with any relevant legislation for protecting information, such as HIPAA or the Sarbanes-Oxley Act.
The implementation of a best practice will ensure accountability throughout the enterprise. While "best practice" definitions are subject to interpretation, various associations have defined methodologies for best practices both generally and within vertical industries.
Security challenges across industries can be reduced to a single issue: whether the organization is taking reasonable and appropriate steps to safeguard important assets.
Web application security best practices start with risk assessment, prioritization and implementing reasonable protection for the privileged information that is most at risk. The following are some recommendations for maintaining the appropriate levels of security in a dynamic web application environment.
Organizations need to define clear lines of ownership and responsibility for important business processes and applications, creating an organizational map that explicitly identifies who is responsible for security measures implemented during the application change process and how events will be escalated.
This is critical because individual components and security measures often get implemented in different departments throughout the application lifecycle, including within the lines of business, in development, quality assurance, audit and IT organizations.
Add volatility metrics
Risk assessment is used to determine which assets to protect, typically by determining the relationship between the value of the information and its vulnerability to attack. High-value data is naturally the most important information to protect, and highly vulnerable applications are naturally the most commonly targeted. Based on this analysis, the organization can prioritize its security requirements and focus its efforts.
But risk assessment measures should go beyond the traditional metrics – such as the value of the data or transactions, the level of vulnerability and the viability of protection solutions – to also assess the rate of change in applications and their environment.
Any applications that change frequently or are often updated or patched are at a higher risk of vulnerability exposure. The more frequently an application changes, the greater the chance of introducing security risks unaccounted for in existing security measures. And hackers are more likely to assail vendor applications that are known to be highly volatile because of the increased chance of success.
Secure your staging areas
A staging area is your last chance to ensure security before deploying web applications into production, so it is important to scan for vulnerabilities at this stage to identify any potential security threats – after testing is complete, but before changes are deployed.
Identifying security ownership for staging areas helps eliminate the risk of exposure in production environments.
The use of automated assessment tools enhances security at the staging area and throughout the application lifecycle. Application-layer protection should be deployed during staging to mimic the production environment, further ensuring that changes do not create security deficiencies.
Establish triggers for shift in policy
By scanning web applications throughout the change management cycle, firms can continuously assess vulnerability and establish and enforce policies that can be automatically implemented in firewalls to protect web applications.
While many security measures can be developed and implemented automatically, organizations should nevertheless identify events that trigger a new assessment of the current state of security. It is wise to design and implement a process for proactively determining the events that will cause the enterprise to reconsider existing security policies. Unfortunately, for many organizations, that event trigger is an attempted hack into business-critical web applications.
Ideally, pre-determined event triggers will automatically invoke security policy reviews for high-risk applications. These triggers can include updates to internally developed applications, new releases of vendor-developed software applications, alerts received about emerging threats and spikes in suspicious activity.
Create a security policy scorecard
Best practices for web application security include the ability to document security measures, to proactively assess security infrastructure and periodically conduct forensics analysis.
Establish a checklist to assess ownership and security policies as part of the enterprise change management procedure, measuring security trade offs on a regular basis and reviewing policies to support evolving security requirements. A dynamic security policy scorecard is a useful tool to help organizations identify exposures over time and continuously improve application protection.
The enterprise can implement best practices for security throughout the design, development, deployment and maintenance of web applications. Managing security as a process augmented by assessment and real-time protection technologies can enable security to be enforced according to business rules.
Jeannine Bartlett is vice-president of product strategy for Kavado Inc.