Once you’ve completed a security assessment as a part of your web application development, it’s time to go down the path of remediating all of the security problems you uncovered. At this point, your developers, quality assurance testers, auditors, and your security managers should all be collaborating closely to incorporate security into the current processes of your software development lifecycle in order to eliminate application vulnerabilities. And with your Web application security assessment report in hand, you probably now have a long list of security issues that need to be addressed: low, medium, and high application vulnerabilities; configuration gaffes; and cases in which business-logic errors create security risk. For a detailed overview on how to conduct a Web application security assessment, take a look at the first article in this series, Web Application Vulnerability Assessment: Your First Step to a Highly Secure Web Site.
First Up: Categorize and Prioritize Your Application Vulnerabilities
The first stage of the remediation process within web application development is categorizing and prioritizing everything that needs to be fixed within your application, or Web site. From a high level, there are two classes of application vulnerabilities: development errors and configuration errors. As the name says, web application development vulnerabilities are those that arise through the conceptualization and coding of the application. These are issues residing within the actual code, or workflow of the application, that developers will have to address. Often, but not always, these types of errors can take more thought, time, and resources to remedy. Configuration errors are those that require system settings to be changed, services to be shut off, and so forth. Depending on how your organization is structured, these application vulnerabilities may or may not be handled by your developers. Oftentimes they can be handled by application or infrastructure managers. In any event, configuration errors can, in many cases, be set straight swiftly.
At this point in the web application development and remediation process, it's time to prioritize all of the technical and business-logic vulnerabilities uncovered in the assessment. In this straightforward process, you first list your most critical application vulnerabilities with the highest potential of negative impact on the most important systems to your organization, and then list other application vulnerabilities in descending order based on risk and business impact.
Develop an Attainable Remediation Roadmap
Once application vulnerabilities have been categorized and prioritized, the next step in web application development is to estimate how long it will take to implement the fixes. If you're not familiar with web application development and revision cycles, it's a good idea to bring in your developers for this discussion. Don't get too granular here. The idea is to get an idea of how long the process will take, and get the remediation work underway based on the most time-consuming and critical application vulnerabilities first. The time, or difficulty estimates, can be as simple as easy, medium, and hard. And remediation will begin not only with the application vulnerabilities that pose the greatest risk, but those that also will take the longest to time correct. For instance, get started on fixing complex application vulnerabilities that could take considerable time to fix first, and wait to work on the half-dozen medium defects that can be rectified in an afternoon. By following this process during web application development, you won't fall into the trap of having to extend development time, or delay an application rollout because it's taken longer than expected to fix all of the security-related flaws.
This process also provides for excellent follow-up for auditors and developers during web application development: you now have an attainable road map to track. And this progression will reduce security holes while making sure development flows smoothly.
It's worth pointing out that that any business-logic problems identified during the assessment need to be carefully considered during the prioritization stage of web application development. Many times, because you're dealing with logic - the way the application actually flows - you want to carefully consider how these application vulnerabilities are to be resolved. What may seem like a simple fix can turn out to be quite complicated. So you'll want to work closely with your developers, security teams, and consultants to develop the best business-logic error correction routine possible, and an accurate estimate of how long it will take to remedy.
In addition, prioritizing and categorizing application vulnerabilities for remediation is an area within web application development in which consultants can play a pivotal role in helping lead your organization down a successful path. Some businesses will find it more cost effective to have a security consultant provide a few hours of advice on how to remedy application vulnerabilities; this advice often saves hundreds of hours from the remediation process during web application development.
One of the pitfalls you want to avoid when using consultants during web application development, however, is failure to establish proper expectations. While many consultants will provide a list of application vulnerabilities that need to be fixed, they often neglect to provide the information that organizations need on how to remedy the problem. It's important to establish the expectation with your experts, whether in-house or outsourced, to provide details on how to fix security defects. The challenge, however, without the proper detail, education, and guidance, is that the developers who created the vulnerable code during the web application development cycle may not know how to fix the problem. That's why having that application security consultant available to the developers, or one of your security team members, is critical to make sure they're going down the right path. In this way, your web application development timelines are met and security problems are fixed.