For this reason, an application security strategy must include vulnerability detection and assessment during the application development process in order reduce the risk that vulnerabilities will make it into the final version. Therefore, you should have policies in place thtat ensure business processes and design requirements are validated and sanity checked. These policies should also ensure that formal code reviews test the source code and perform boundary checks. You will also need to develop procedures for completing component-level integration testing, system integration testing, application function and deployment testing. While this may seem onerous, Gartner pegs the cost of removing a security vulnerability during testing to be less than 2% of the cost of removing it from a production system.
Your policy should ensure that roles and access rights to code are assigned to your development team and that test accounts are set up to trial the application, along with a resolution process for errors encountered during testing. I would consider instructing staff how to write secure code, as this will make a marked improvement in code quality. However, training developers to write secure code doesn't necessarily mean they'll write secure code, so your development procedures should continually test for technical and logical vulnerabilities. There are two approaches to this type of testing: dynamic analysis and static analysis. While dynamic analysis is any analysis that involves actually running the software, static analysis involves analyzing the software without executing it. Static has the advantage because the analysis can be done earlier in the development cycle.
Before the application is ready to be deployed, you need to include it in your risk analysis and business impact analysis to assess where to position it within your security structure. This will be determined by the sensitivity and criticality of its function and/or the data it handles. Change management is also an important part of your strategy as the rate of change in Web application code is normally quite high and this rapidly reduces the relevance of existing security reports. The security assessment process should always be repeated when the business logic in the application changes in order to evaluate the impacts of any changes on overall system application security.
While developing your strategy, be sure to engage all the key players in your organization, such as business process owners, change management, internal audit and technical support. This will help you develop a coordinated strategy. One that you can document into effective policies and procedures. Finally, there is no way to guarantee your applications will be secure, so plan for an increased level of support calls in the early days of release and have procedures in place to handle reports of any errors or problems.
This was first published in October 2005