Feature

Application Security: 2007 Readers' Choice Awards

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."

Download it now to read this article plus other related content.

In the trenches


Necessary integration: security and development

Application security woes must be addressed in development.


Security managers are quickly adjusting to the fact that the woes plaguing today's dynamic Web applications cannot be repaired with a regularly scheduled deployment of patches from the Pacific Northwest.

The root of these problems lies in a place of integrated development environments (IDEs) and where features and functionality take precedence over security. The cure: integrating security tools and best practices into development lifecycles.

Steve Zimmerman, a former CISO for a top 10 financial institution, recalls many a pen test and vulnerability scan on homegrown Internet-facing apps delivering disturbing--but fixable--results.

"What we found is that we had excellent programmers, but a lot of them dealt with rolling out internal applications, where there's no need for the same level of security as those facing the Net," Zimmerman says. "We were finding too many errors that should have been corrected in the development lifecycle."

Zimmerman realized it was imperative to integrate security into development, something contrary to the nature of a coder. Initially, it was a bumpy road. Projects hit hurdles that extended release dates. Quickly security became a hindrance rather than an enabler.

The trick, Zimmerman says, was to approach development teams

    Requires Free Membership to View

from a partnership perspective. Rather than issue mandates about their practices, Zimmerman's teams provided guidance about current threats and tools to bring security checks to the coders' efforts.

"We try to help during the process, rather than go through it at the end and fix problems," Zimmerman says. "We're not here to tell you how to create naming conventions or variables, we're here to give advice on what we see in security on the Net. We provided them with a white paper and security solutions."

Web applications are rapidly becoming a hacker's playground--most e-commerce apps connect to databases holding customer data, making them rich targets. Programming flaws like input validation errors and buffer overflows are as old as the first coding textbooks, yet those bugs often yield hackers the greatest bounty.

Couple those traditional problems with the new breed of dynamic applications powered by JavaScript and AJAX, and security managers often find themselves further behind. "Instead of static HTML, you're having more dynamic pages built. As that happens, you open yourself for holes because these things are rendered in real time," Zimmerman says. "This coding must be analyzed quicker, efficiently and the results more accurate."

Scanners have come a long way. Zimmerman, whose bank ran SPI Dynamics' WebInspect on its Web applications, says false positives have been dramatically reduced.

"When these products first hit the market, we were seeing 50 percent of returns being false positives. With the latest, we're seeing just a handful," Zimmerman says. "We were cutting pen tests down by 50 percent because we didn't have to go through as many issues as before."


This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: