While individual and ad hoc Web application security assessments certainly will help you improve the security of that application or Web site, soon after everything is remedied, changes in your applications and newfound vulnerabilities mean new security problems will arise. So, unless you put into place continuous security and quality assurance controls throughout the software development life-cycle, from the initial phases of Web application development through production, you're never going to reach the high levels of ongoing security you need to keep your systems safe from attack - and your costs associated with fixing security weaknesses will continue to be high.
In the first two articles, we covered many of the essentials you need to know when conducting Web application security assessments, and how to go about remedying the vulnerabilities those assessments uncovered. And, if your organization is like most, the first couple of Web application assessments were nightmares: reams of low, medium, and high vulnerabilities were found and needed to be fixed by your web application development team. The process required that tough decisions be made on how to fix the applications as quickly as possible without affecting systems in production, or unduly delaying scheduled application rollouts.
But those first few web application assessments, while agonizing, provide excellent learning experiences for improving the software development life-cycle. This article shows you how to put the organizational controls in place to make the process as painless as possible and an integrated part of your Web application development efforts. It's a succinct overview of the quality assurance processes and technologies necessary to begin developing applications as securely as possible from the beginning, and keeping them that way. No more big surprises. No more delayed deployments.
Secure Web Application Development: People, Process, and Technology
Building highly secure applications begins early in the software development life-cycle with your developers. That's why instilling application security awareness through Web application development training is one of the first things you want to do. You not only want your developers armed with the latest knowledge on how to code securely – and how attackers exploit weaknesses – but you want them to know how important (and much more efficient) it is to consider security from the start. This awareness building shouldn't end with your Web application development team. It needs to include everyone who plays a part in the software development life-cycle: your quality and assurance testing teams, who need to know how to properly identify potential security defects, and your IT management team, who need to understand how to invest organizational resources most effectively to develop security applications, as well as how to successfully evaluate such essential technologies as Web application security scanners, Web application firewalls, and quality assurance toolsets.
By building awareness throughout the Web application development life-cycle, you're building one of the most central controls necessary to ensure the security of your Web applications. And while training is essential, you can't depend on it to make certain that your systems are built securely. That's why training needs to be reinforced with additional controls and technology. You need to begin to put into place the elements of a secure Software Development Life-cycle, or SDLC.