Timing security practices for web application success

Last year, says Caleb Sima, many organizations began using web application security assessment tools and discovered that many vulnerabilities could not be corrected because they resulted from insecure application development practices.

Organizations are learning, from experience, that the initial time to address application security is during the development phase, when there is still an opportunity to affect change without impacting users. And, the time to fix vulnerabilities is before they compromise an organization's infrastructure.

But all applications are also vulnerable on a long-term basis, due to the continuous release of new application vulnerabilities and on-going updates.

Since security is not directly related to functional requirements, users do not focus on it and developers generally fail to put in the necessary time to ensure that applications are secure. In addition, some developers do not feel that application security is necessary.

Get your timing right

Even developers who do see the importance of web application security usually view it as a task that is performed as part of the QA process. As a result, many web applications may be functionally rich but are vulnerable to unwanted intrusions and attacks at the application layer.

Furthermore, many development organizations view security as an event to be completed just once during the development process. In these cases, security becomes the responsibility of a single organization like the quality assurance or internal audit departments. Once these departments sign off an application, it is deemed secure.

But web applications are not static. Changes to web applications create risks, making what was once secure, vulnerable. If security is viewed as a single event, a vulnerability that enters the system after the audit is performed will go undetected.

Lifecycles and security

Security should not be an oversight or afterthought, or viewed just as an event. Rather, it should be viewed as a process and incorporated throughout the development lifecycle to ensure web applications are built securely, and stay that way. This includes defining security as part of both the functional and technical requirements of an application.

Once requirements are completed, security should be modeled as part of the analysis and design of the application. Secure coding practices will then ensure the application is built in a secure manner. QA should build and execute its test plan with security specifically targeted, and the application must be deployed in an environment that has been hardened for security. Once deployed, periodic security audits in the production environment will ensure the application remains secure as it is updated.

The time is now for organizations to assess their web application security needs. Making these changes in how, and when, organizations address potential vulnerabilities, can help secure a successful future.

Caleb Sima is CTO and co-founder of SPI Dynamics (


Caleb Sima

Caleb serves as the Chair of CSA AI Security Initiative. Prior Caleb served as Chief Security Officer at Robinhood where he focused on keeping customers safe. Prior to Robinhood he was Security CTO at Databricks a leading data analytics and machine learning company where he built the security team from the ground up. Previously he was a Managing VP at CapitalOne, where he spearheaded many of their security initiatives. Prior to CapitalOne, Caleb was CEO of Armorize which was acquired by Proofpoint. He also founded SPI Dynamics and BlueBox security, which were acquired by HP and Lookout. He is attributed as one of the pioneers of application security and holds multiple patents in the space and is also the author of Web Hacking Exposed. He serves as an advisor, investor, and board member for security companies.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.