Last year, says Caleb Sima, many organizations began using web application security assessment tools and discovered that many vulnerabilities could not be corrected because they resulted from insecure application development practices.
Organizations are learning, from experience, that the initial time to address application security is during the development phase, when there is still an opportunity to affect change without impacting users. And, the time to fix vulnerabilities is before they compromise an organization's infrastructure.
But all applications are also vulnerable on a long-term basis, due to the continuous release of new application vulnerabilities and on-going updates.
Since security is not directly related to functional requirements, users do not focus on it and developers generally fail to put in the necessary time to ensure that applications are secure. In addition, some developers do not feel that application security is necessary.
Get your timing right
Even developers who do see the importance of web application security usually view it as a task that is performed as part of the QA process. As a result, many web applications may be functionally rich but are vulnerable to unwanted intrusions and attacks at the application layer.
Furthermore, many development organizations view security as an event to be completed just once during the development process. In these cases, security becomes the responsibility of a single organization like the quality assurance or internal audit departments. Once these departments sign off an application, it is deemed secure.
But web applications are not static. Changes to web applications create risks, making what was once secure, vulnerable. If security is viewed as a single event, a vulnerability that enters the system after the audit is performed will go undetected.
Lifecycles and security
Security should not be an oversight or afterthought, or viewed just as an event. Rather, it should be viewed as a process and incorporated throughout the development lifecycle to ensure web applications are built securely, and stay that way. This includes defining security as part of both the functional and technical requirements of an application.
Once requirements are completed, security should be modeled as part of the analysis and design of the application. Secure coding practices will then ensure the application is built in a secure manner. QA should build and execute its test plan with security specifically targeted, and the application must be deployed in an environment that has been hardened for security. Once deployed, periodic security audits in the production environment will ensure the application remains secure as it is updated.
The time is now for organizations to assess their web application security needs. Making these changes in how, and when, organizations address potential vulnerabilities, can help secure a successful future.
Caleb Sima is CTO and co-founder of SPI Dynamics (www.spidynamics.com).