Don’t wait for your users or the hackers out there to find the vulnerabilities in your app. You’ve got a good selection of tools at your disposal. Use them all in the right way.
Black box scanning: Don’t count on black box to get you very far, but don’t assume it’s worthless either. These types of scans are usually the easiest and cheapest to run, and you can have them run on a schedule without any human input. Get used to reading the reports; know what it says, then when something changes in your environment you can pick up on that immediately in the report and research what changed.
Code reviews: Code reviews aren’t the easiest part of the program, but they are one of the most important. Your development team is responsible for all the code it produces. Code reviews are a good way to ensure that the team sees what it’s releasing. It can be the entire team going over selecting high-impact portions of code, or one individual reading through another’s code before it gets pushed into service. Figure out a review schedule that works in your workflow and get it going.
3rd Party Pen Tests: An external pen testing company can be a good way to have the security of your software verified. Get them in the environment and let them see what they can break. Be sure you’re working with good pen testers. Ask what kinds of activities they’ll be doing. Someone who just runs application testing software against your site, then cleans it up for a report, isn’t giving you a lot of value. Find someone who will be using a combination of tools and manual hacks to go after your site.
Application Firewalls: An application firewall is not a cure-all. You cannot throw this in front of an insecure app and expect to fix the problems with it. But a well configured application firewall can be an effective part of your security. You will need to tweak the firewall for your application to teach it what normal behavior is. The proper tuning of an application firewall can be as complex as coding the program itself, but it can be worth it. In the end you get another layer of protection that is programmatically diverse from the application it’s protecting.
Summary: How a good application security program looks in practice
Good application security begins even before the first requirement is written for a project and does not end until the last remnants of the project are end of life.
- Executives who believe in information security push down corporate policies that include security goals for executives, managers, developers and QA.
- Software architects with good security awareness and appropriate technical security training determine the right architecture to meet all business requirements for a project.
- Requirements are documented for the new project and security requirements are right there next to the functional requirements.
- Developers who are trained in the secure coding techniques, and who have been told that creating secure code is a priority, implement secure code.
- QA analysts go through their test script ensuring the application functions appropriately, run their security tools, and use their experience to look for vulnerabilities while they test functionality.
- Regular code reviews, web scans, and penetration tests work to find new vulnerabilities before the bad guys do.
- Internal audit ensures that technical teams are adhering to their stated information security standards and procedures.
Well, that’s my take on implementing application security. Let me know how you’ve implemented AppSec in your organization.
Connect with Robb on Google+