Monday, March 10, 2008

Protecting Web Applications

Four strategic best practices for protecting Web Applications

To address security-related issues as they pertain to Web Applications, organizations can employ four broad, strategic best practices.

1. Increase Security Awareness

This encompasses training, communication and monitoring activities, preferably in cooperation with a consultant.

* Training:

Provide annual security training for all application team members: Developers, Quality Assurance Professionals, Analysts and Managers. Describe current attacks and a recommended remediation process. Discuss the organization's current security practices. Require developers to attend training to master the framework's prebuilt security functions. use vendor-supplied material to train users on commercial off-the-shelf (COTS) security tools, and include security training in the project plan.

* Communication:

Collect security best practices from across all teams and lines of business in your organization. Distribute them in a brief document and make them easily accessible on an intranet. Get your IT security experts involved early and develop processes that include peer mentoring. Assign a liaison from the security team to every application team to help with application requirements and design.

* Monitoring:

Ensure that managers stay aware of the security status of every application in production. Track security errors through your normal defect tracking and reporting infrastructures to give all parties visibility.

2. Categorize application risk and liability

Every organization has limited resources and must manage priorities. To help set security priorities, you can:

* Define risk thresholds and specify when the security team will terminate application services.

* Categorize applications by risk factors (e.g. Internet or Intranet vs. Extranet).

*Generate periodic risk reports based on security scans that match issues to defined risk thresholds.

* Maintain a database that can analyze and rank applications by risk, so you can inform teams of how their applications stack up against deployed systems.

3. Set a zero-tolerance enforcement policy

An essential part of governing the development and delivery process, a well-defined security policy can reduce your risk of deploying vulnerable or non compliant applications. During inception, determine which tests the application must pass before deployment, and inform all team members. Formally review requirements and design specifications for security issues during inception and elaboration - before coding begins. Allow security exceptions only during design and only with appropriate executive - level approval.

4. Integrate security testing throughout the development and delivery process

By integrating security testing throughout the delivery lifecycle, you can have significant positive effects on the design, development and testing of applications. You should base functional requirements on security tests your application must pass, making sure that your test framework:

* Use automated tools and can run at any point during the development and delivery process.

* Includes unit and system test as well application-level tests.

* Allow for audit testing in production.

* Uses an agile development methodology for security procedures.

* Can be run during coding, testing, integration and production activities.

No comments: