Secure coding is a topic that books are written about, classes are taught on and careers are made and, in some cases, broken over. With the onslaught of contractual and regulatory mandates that organizations are finding they must comply with in the wake of high-profile data breaches where health information, Social Security numbers or otherwise personally identifiable information are compromised, application security, like information security in general, is sizzling hot.
At least for the moment, there has been quite a push for the security specialist to bring to the table the expertise needed to secure the borders of an organization. The problem, however, is that while we focus on our network perimeters, develop new policies on handling sensitive information, implement security awareness programs and patch and update our systems, there continues to be a significant gap. Many of our applications remain, in large part, vulnerable. Organizations are simply not doing enough to protect themselves at the application layer.
Most IT security pros were not application developers in a previous life. In fact, most do not have any formal application development training, and many more cannot write a snippet of code. Yet these security professionals have written books, are sought-after speakers for international conferences and, by most anyone’s definition, are highly regarded security experts. Up to this point, their focus has been on areas other than application-level security. As you might imagine, many organizations are coming to the realization that it is time to close that gap, and the race for application security expertise is on.
As organizations get serious about developing secure applications, they must develop a plan and framework to make the development process conducive to producing secure applications. The first order of business is assembling the right team. Just as everyone cannot have the patience or mindset to be an application developer, not everyone understands security.
If your organization is serious about developing secure code, bringing on a security professional who understands application security is essential to your success. The rub is that it is a highly sought-after skill set and doing so is easier said than done. However, once you find the right candidate, you should leverage his or her security skills across to the development team. An application developer with security skills can provide enormous value to an organization.
The next order of business is putting a plan and framework in place to develop secure code. If an organization is intent — and it should be — on embedding security into the application development process, here are some high-level areas that they must establish processes to address:
If an organization is serious about developing secure applications, it is essential for it to bring in the security professional early in the development process. The security professional should understand the purpose of the application and how it will be used, as well as have an understanding of the business and security requirements that apply to the solution.
Development of Proper Use and Test Cases
It is critical that the appropriate use cases, misuse cases and unit test cases be identified and created to ensure that the application code addresses high-priority vulnerabilities. Often organizations look at the use cases, but never define cases that signify the misuse of an application. Doing so is critical to discovering problems within the application. In addition, system testing needs to address application-specific vulnerabilities and common attack patterns.
It is critical that the code be evaluated to throughout the development life cycle to ensure security policies and best practices are followed. The organization should have a well-documented procedure and framework for conducting code reviews.
There are a variety of proven models that an organization can utilize to assess and prioritize risks, enumerate vulnerabilities and understand the impact that particular attacks might have on an application. In addition, a security professional should assess the solution in its entirety using a proven assessment methodology. That way, the solution can be evaluated to ensure it meets applicable contractual obligations, regulatory mandates and security best practices and standards.
As organizations are put under growing pressure to protect sensitive data, they are starting to look toward protecting this data at the application layer. In order to be successful, they must change the mindset of developers and security people alike. No longer can security be an afterthought; it must be embedded into the application development process early on. For those developers and security professionals who jump on that bandwagon, the future is sure to be bright.
Brian Koerner is a chief security engineer for a Fortune 500 computer services firm and author of Windows Vista Security for Dummies. He can be reached at editor (at) certmag (dot) com.