It’s always the right time

By on
It’s always the right time

Gunter Ollmann explains how security can be assessed at each phase of the application development lifecycle

Trailblazing organizations have been working to secure their internet accessible applications for years, but the "technology following" organizations have been slow to deal with their largest external security threat. Fortunately, this is changing.

With media coverage of phishing and account hijacking attacks that could affect business, organizations have begun to realize they are again behind the technology curve and are calling out for assistance. Often, these organizations are seeking advice on where to begin the process of securing their web-based applications. Depending on their internal development processes and security awareness, there are many areas security specialists can begin the process of working with clients in securing their applications.

It is always the right time to consider security and while it might seem simplistic, specialists can help secure critical business applications at the beginning, the middle or the end of the lifecycle.

Getting involved during the end stage means working on applications that are live, or about to be deployed in a live environment. Here, consultants use a gray-box testing strategy to identify security weaknesses from a hacker's perspective and, if a weakness is found, work with the development team to determine if it is exploitable and what remediation steps need to be taken.

Often, "user-level" testing is done in conjunction with classic penetration testing and on-site infrastructure security assessments. The disadvantages of trying to secure applications at the end of the development cycle is that instant fixes tend to delay deployment and be more complex to implement robustly.

For organizations that consistently change their live applications or outsource their development, consultants help implement security features and processes during the "middle" stages. The consultants work closely with the client's security or QA and Testing teams to secure code as it gets applied to the live systems. This typically requires high volumes of native code review and identification of poor coding practices, followed by piecemeal instruction on secure coding practices.

Many organizations grant QA and Testing teams the power of veto over code changes to the live systems, so they are ideally placed to police the security of new application changes. Unfortunately, these teams are often not particularly security-aware (from a technical level), and must be trained to identify insecure coding practices and increase their security skills to provide guidance to wayward developers.

Initially, it is also very valuable to add security consultants to the team (to implement secure practices immediately) and to participate in knowledge transfer with the team. After a month or two, the QA or Testing team will have developed the necessary processes and procedures for validating new code as well as understanding the core aspects of a secure application.

Security consultants can also get involved in the beginning, which is everything that happens before real code development begins. Most valuable at this early stage are specialist technical workshops.

Technical workshops bring together the client's development specialists and technical authorities with external security specialists to take part in open discussions about the application being developed. These revolve around business requirements for the application, how they can be met through code development, and what these decisions mean from a security perspective.

For instance, the application might require users to authenticate using web-based forms. The development team covers how they initially propose to implement this, while the security consultants make them aware of how attacks such as automated account brute-forcing attacks are conducted and provide guidance on how the code should respond to items such as failed logins and initial password allocations.

The result is that the application is more secure and the developers learn how to respond to its security risks. The workshop enables everyone involved to share a focused security dialog and participate in the security design and principles applied to the application. For the application, having security built in to the core makes it much easier to code – both during the development process and post deployment.

Also, when security consultancy takes place early in the project lifecycle, security departments find that funding more commonly comes from the project sponsor's budget instead of theirs.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?