Require Security?...Then Think Security

By balaji

January 5, 2012

So much has been written and documented about securing web applications that it should be a simple process by now. However, as it still stands, it is an overload to development teams across the globe. I doubt whether "security" falls within the "requirement specifications" of any application. Not everyone treats security as a requirement. It is usually an "add-on" or "patch-up", which is injected later on into the application; hence, the overload in terms of development effort and time. In such a process, even if a single security patch is missed, the overall security of the application can go for a toss - paving a way for the "Hackers"!

Treat security as a "requirement"... and I am sure it will make a big difference...

It is necessary to think about security at each and every stage of the application development process. It is just like cooking food while at the same time keeping health concerns in mind.

Developers often complain, "I don't know anything about application security".

I agree, not all of us are security experts but we all can, of course, think about "security". One can certainly consult security experts and involve them during the development process.

For instance, if you were to buy a new car and suddenly thought "security" should be one of the key aspects to look for, I am sure that you would probably check the number of features related to security e.g. locking or any tracking feature available. You would try and evaluate all its features with respect to security. You would even call up your friend to verify whether you are choosing right or whether you should be looking for some other safety feature. You would also take an opinion about all the existing features it offered.

It is the same in the case of web applications. Think about security for each and every feature that you develop. You can document whatever is not feasible to be remediated (or developed) immediately. Call your friends - i.e. security experts like "Plynt" to analyze these areas and features. It is very important that you involve security experts either during the development process (on an ongoing basis) or at the end of it. You must discuss all the application features thoroughly with them, in the same way that you would explain everything about your car to your friend; because the more you talk about the application and its controls, the more you will hear about security from the experts.

Familiarizing the security experts with all the features, entry points, integrations, add-ons, etc. is crucial. You may also discuss the security controls that you have already implemented in the application. I am sure if you are conscious about security, you would be proactive toward security controls right from scratch. The security experts will verify them and test their effectiveness against the latest attack vectors.

The security experts will carry out a complete security test based on the information in hand and make you understand what kind of security controls must be implemented in which area in the application. Such a comprehensive security test will also ensure that nothing is missed and your security requirement will also be met.

You can then have a safe drive...for a long long time :)

Tags: Uncategorized