Manage Learn to apply best practices and optimize your operations.

How to develop an effective application security strategy

In this Ask the Expert Q&A, our application security expert discusses tools and tactics to consider when developing a secure and effective application security strategy.

I need to develop an application security strategy. Do you have any recommendations as far as procedures and policies are concerned? Also, how should we manage this process?
Application security is a critical element in any organization's overall security policy as applications -- in particular Web applications -- are often a gateway to databases that hold critical information. Hackers are shifting focus now and searching for the easier target: online applications. Online applications are easier to target because network perimeter defenses are being strengthened, and a Web site's custom application code is usually a precarious point of insecurity. Gartner, for example, currently estimates that 75% of attacks take place at the application layer. Web applications, in particular, remain vulnerable to attack regardless of what perimeter defenses are in place. Vulnerability scanners are unable to identify contextual vulnerabilities or find "well-known" security issues in custom written code, while intrusion detection systems can only detect the symptoms of vulnerabilities once an application is being attacked.

For this reason, an application security strategy must include vulnerability detection and assessment during the...

application development process in order reduce the risk that vulnerabilities will make it into the final version. Therefore, you should have policies in place thtat ensure business processes and design requirements are validated and sanity checked. These policies should also ensure that formal code reviews test the source code and perform boundary checks. You will also need to develop procedures for completing component-level integration testing, system integration testing, application function and deployment testing. While this may seem onerous, Gartner pegs the cost of removing a security vulnerability during testing to be less than 2% of the cost of removing it from a production system.

Your policy should ensure that roles and access rights to code are assigned to your development team and that test accounts are set up to trial the application, along with a resolution process for errors encountered during testing. I would consider instructing staff how to write secure code, as this will make a marked improvement in code quality. However, training developers to write secure code doesn't necessarily mean they'll write secure code, so your development procedures should continually test for technical and logical vulnerabilities. There are two approaches to this type of testing: dynamic analysis and static analysis. While dynamic analysis is any analysis that involves actually running the software, static analysis involves analyzing the software without executing it. Static has the advantage because the analysis can be done earlier in the development cycle.

Before the application is ready to be deployed, you need to include it in your risk analysis and business impact analysis to assess where to position it within your security structure. This will be determined by the sensitivity and criticality of its function and/or the data it handles. Change management is also an important part of your strategy as the rate of change in Web application code is normally quite high and this rapidly reduces the relevance of existing security reports. The security assessment process should always be repeated when the business logic in the application changes in order to evaluate the impacts of any changes on overall system application security.

While developing your strategy, be sure to engage all the key players in your organization, such as business process owners, change management, internal audit and technical support. This will help you develop a coordinated strategy. One that you can document into effective policies and procedures. Finally, there is no way to guarantee your applications will be secure, so plan for an increased level of support calls in the early days of release and have procedures in place to handle reports of any errors or problems.

This was last published in October 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.