This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
Necessary integration: security and development
Application security woes must be addressed in development.
Security managers are quickly adjusting to the fact that the woes plaguing today's dynamic Web applications cannot be repaired with a regularly scheduled deployment of patches from the Pacific Northwest.
The root of these problems lies in a place of integrated development environments (IDEs) and where features and functionality take precedence over security. The cure: integrating security tools and best practices into development lifecycles.
Steve Zimmerman, a former CISO for a top 10 financial institution, recalls many a pen test and vulnerability scan on homegrown Internet-facing apps delivering disturbing--but fixable--results.
"What we found is that we had excellent programmers, but a lot of them dealt with rolling out internal applications, where there's no need for the same level of security as those facing the Net," Zimmerman says. "We were finding too many errors that should have been corrected in the development lifecycle."
Zimmerman realized it was imperative to integrate security into development, something contrary to the nature of a coder. Initially, it was a bumpy road. Projects hit hurdles that extended release dates. Quickly security became a hindrance rather than an enabler.
The trick, Zimmerman says, was to approach development teams
"We try to help during the process, rather than go through it at the end and fix problems," Zimmerman says. "We're not here to tell you how to create naming conventions or variables, we're here to give advice on what we see in security on the Net. We provided them with a white paper and security solutions."
Web applications are rapidly becoming a hacker's playground--most e-commerce apps connect to databases holding customer data, making them rich targets. Programming flaws like input validation errors and buffer overflows are as old as the first coding textbooks, yet those bugs often yield hackers the greatest bounty.
Scanners have come a long way. Zimmerman, whose bank ran SPI Dynamics' WebInspect on its Web applications, says false positives have been dramatically reduced.
"When these products first hit the market, we were seeing 50 percent of returns being false positives. With the latest, we're seeing just a handful," Zimmerman says. "We were cutting pen tests down by 50 percent because we didn't have to go through as many issues as before."
This was first published in April 2007