When it comes to application security, are you dedicated? How dedicated are you? I write about application security all the time (read my posts about how to secure legacy applications or best practices for secure app development). But now I’d like to take a step back from securing the application itself and examine how you can ingrain a dedication to security in your company's application development process.
To make sure your development teams are writing secure code, I believe that your company needs a dedicated application security team that not only creates and updates security tools and controls, but also ensures application development teams use these controls consistently and uniformly across your entire application portfolio.
Very often, non-security folk have a hard time conceptualizing what consistent use of security controls look like - so I often resort to analogies to help others visualize. So I might as well turn to a shining beacon of efficient, consistent security to illustrate my point…
Look to the TSA (OK, stop laughing – it’s just an analogy)
To illustrate what I mean by a dedicated application security team, look at the TSA and how it applies security controls in U.S. airports. Airports are large, bustling centers of untrusted input (passengers), verification process and security controls. Be they multi-terminal metropolitan airports or small regional airports serving commuter shuttles, airports in the by and large use the same set of security measures (i.e. passengers are required to provide proof of identification and submit to a millimeter wave scan or – my favorite, the “opt-out” search - before entering the trusted zone).
If we assume these security measures are effective and used consistently by all airports, these measures can allow us to make measurements, track improvements, track failures, etc. If each airport had its own ad hoc home-grown security measures, such measurements would be inaccurate and the security provided would be a joke.
Unfortunately, most software companies don’t work the same way when it comes to application development. For example, a larger software company with a portfolio of ten applications will typically have separate development teams for each one. In my experience, these teams tend to work in silos, each one implementing security in their applications as they see fit, with little to no communication between teams about security. Security code is rarely reexamined to see if it remains secure in the face of evolving APT and malware.
As you would expect, this security model usually leads to development teams spending more time reacting to a constant stream of security threats and less time developing their applications.
The Dedicated Security Development Team
The solution to this problem is to have a dedicated application security team that can provide other development teams with standardized code for securing applications. The dedicated team can focus on keeping the secure code updated against emerging threats and routinely update the other application development teams with secure code. The dedicated team would be responsible for writing code for all kinds of security requirements, including authentication, access control, input validation, encoding and database access/configuration.
Open Source Security for the Little Guys
This approach make sense for larger companies that have the budget and staffing resources to support a dedicated application security team, but what about small companies that don’t have that capability? Fortunately, there are third-party, open source security software available to companies that don’t have the ability to make their own (Caja, OWASP ESAPI, Apache Shiro and Yii are some examples of security libraries and secure frameworks). These can be customized to meet the needs of a particular company. Provided the company devotes developer time toward keeping these open source tools updated, they should meet the applications security needs of most small companies.
Network Security is Not Application Security
Many companies may think they already have an application security team in place, but the fact of the matter is they don’t. The application development security team must be staffed with security software developers, not network security experts reassigned to secure applications. Most network security managers have little coding experience and don’t have the expertise required to write, maintain and update security software.
The rise in cybercriminal activity is only going to grow in both number of attacks and attack sophistication. Knowing this, software development teams must make the development of secure code across their product portfolios a priority. But just as important is the need for company management to devote resources to the dedicated, consistent development and updating of the security code used in their products.