Q

How to develop an effective application security strategy

In this Ask the Expert Q&A, our application security expert discusses tools and tactics to consider when developing a secure and effective application security strategy.

I need to develop an application security strategy. Do you have any recommendations as far as procedures and policies are concerned? Also, how should we manage this process?
Application security is a critical element in any organization's overall security policy as applications -- in particular Web applications -- are often a gateway to databases that hold critical information. Hackers are shifting focus now and searching for the easier target: online applications. Online applications are easier to target because network perimeter defenses are being strengthened, and a Web site's custom application code is usually a precarious point of insecurity. Gartner, for example, currently estimates that 75% of attacks take place at the application layer. Web applications, in particular, remain vulnerable to attack regardless of what perimeter defenses are in place. Vulnerability scanners are unable to identify contextual vulnerabilities or find "well-known" security issues in custom written code, while intrusion detection systems can only detect the symptoms of vulnerabilities once an application is being attacked.

For this reason, an application security strategy must include vulnerability detection and assessment during the application development process in order reduce the risk that vulnerabilities will make it into the final version. Therefore, you should have policies in place thtat ensure business processes and design requirements are validated and sanity checked. These policies should also ensure that formal code reviews test the source...

code and perform boundary checks. You will also need to develop procedures for completing component-level integration testing, system integration testing, application function and deployment testing. While this may seem onerous, Gartner pegs the cost of removing a security vulnerability during testing to be less than 2% of the cost of removing it from a production system.

Your policy should ensure that roles and access rights to code are assigned to your development team and that test accounts are set up to trial the application, along with a resolution process for errors encountered during testing. I would consider instructing staff how to write secure code, as this will make a marked improvement in code quality. However, training developers to write secure code doesn't necessarily mean they'll write secure code, so your development procedures should continually test for technical and logical vulnerabilities. There are two approaches to this type of testing: dynamic analysis and static analysis. While dynamic analysis is any analysis that involves actually running the software, static analysis involves analyzing the software without executing it. Static has the advantage because the analysis can be done earlier in the development cycle.

Before the application is ready to be deployed, you need to include it in your risk analysis and business impact analysis to assess where to position it within your security structure. This will be determined by the sensitivity and criticality of its function and/or the data it handles. Change management is also an important part of your strategy as the rate of change in Web application code is normally quite high and this rapidly reduces the relevance of existing security reports. The security assessment process should always be repeated when the business logic in the application changes in order to evaluate the impacts of any changes on overall system application security.

While developing your strategy, be sure to engage all the key players in your organization, such as business process owners, change management, internal audit and technical support. This will help you develop a coordinated strategy. One that you can document into effective policies and procedures. Finally, there is no way to guarantee your applications will be secure, so plan for an increased level of support calls in the early days of release and have procedures in place to handle reports of any errors or problems.

This was first published in October 2005

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close