Home > Security

Computerworld - Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.
Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection. As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation.
While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities. It's critical that security be included in the initial Web design and not retrofitted after the application is developed. While some experts argue over where and when security integration and testing should be applied in the development life cycle, no one would argue that it has become an essential ingredient. The software industry is making headway in this area, with some providers offering incentives to development teams to integrate security during the application development process.
Integrating security into the application development life cycle is not an all-or-nothing decision, but rather a process of negotiation within policy, risk and development requirements. Engaging security teams -- in-house or outsourced -- during the definition stage of application development determines the security areas necessary to satisfy policy and risk tolerance in the context of the organization. The areas are broken out in the remainder of this article.
1. Initial review
The first step is the initial review, which will allow the security team to assess initial risks. The security team should work with the development team to gain an understanding of the following:

1. The purpose of the application in the context of its users and its market


2. Its technical environment in terms of application development and deployment

Policy drivers (regulatory and risk)

3. Processes and procedures


4. Business continuity requirements for application availability

2. Definition phase: Threat modeling
Threat modeling is the practice of working with developers to identify critical areas of applications dealing with sensitive information. The model is used to map information flow and identify critical areas of the application's infrastructure that require added security attention.
Once the application is modeled and the critical areas and entry points are identified, security teams should work with the developers to create mitigation strategies for potential vulnerabilities. Threat modeling should be created early in the development life cycle of every project to achieve a secure foundation while using