Eight steps for integrating security into application development

Zero Data Loss- Disaster Recovery Live Webinar Computerworld presents a 100% free and online security event today! Why SaaS is Vital to Email and Web Security Certify your Software Integrity with thawte Code Signing Certificates Extended Validation SSL Certificates Securing your Online Data Transfer with SSL Fixing Security Blind Spots Sign up to receive Security Resource Alerts

December 06, 2005 (Computerworld) -- Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.
Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection. As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation.
While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities. It's critical that security be included in the initial Web design and not retrofitted after the application is developed. While some experts argue over where and when security integration and testing should be applied in the development life cycle, no one would argue that it has become an essential ingredient. The software industry is making headway in this area, with some providers offering incentives to development teams to integrate security during the application development process.
Integrating security into the application development life cycle is not an all-or-nothing decision, but rather a process of negotiation within policy, risk and development requirements. Engaging security teams -- in-house or outsourced -- during the definition stage of application development determines the security areas necessary to satisfy policy and risk tolerance in the context of the organization. The areas are broken out in the remainder of this article.
1. Initial review
The first step is the initial review, which will allow the security team to assess initial risks. The security team should work with the development team to gain an understanding of the following:

1. The purpose of the application in the context of its users and its market


2. Its technical environment in terms of application development and deployment

Policy drivers (regulatory and risk)

3. Processes and procedures


4. Business continuity requirements for application availability

2. Definition phase: Threat modeling
Threat modeling is the practice of working with developers to identify critical areas of applications dealing with sensitive information. The model is used to map information flow and identify critical areas of the application's infrastructure that require added security attention.
Once the application is modeled and the critical areas and entry points are identified, security teams should work with the developers to create mitigation strategies for potential vulnerabilities. Threat modeling should be created early in the development life cycle of every project to achieve a secure foundation while using resources efficiently. This process should be followed throughout the development process as the application evolves in complexity.
3. Design phase: Design review
Application design reviews are an important step in identifying potential security risks at the early development stage. It is important that this review is conducted by an independent and objective moderator who is separate from the development team. This process involves reviewing application documents and interviewing developers and application owners. This will help keep the business purpose of the application in the forefront for analysis and later recommendations.
Reviews are held at each stage of the development process. This includes the beginning of the design phase before code is written, the end of each software developmental phase throughout the life cycle, and, finally, before the application goes live.
4. Development phase: Code review
During this phase, the development and coding of the system takes place. As modules and phases are completed, and once unit testing for each is finished, security testing against units should be conducted throughout the development process. This includes testing units and reviewing code for best security practices. During this phase, the focus shifts to the hardware and network environment, ensuring that segments and trust relationships are appropriate, servers are hardened at the operating system level, and application software is configured and administered securely.
5. Deployment phase: Risk assessment
While security reviews have been conducted throughout the cycle, at this point, a risk assessment done prior to deployment is a step toward benchmarking the live application. Once risk has been benchmarked for the "go live" application, a strategy for mitigation of any risk can be put into place.
6. Risk mitigation
Risk mitigation involves prioritizing, evaluating and implementing the controls that the security team identifies as necessary to mitigate vulnerabilities discovered during the risk-assessment stage. The least costly approach to implementing the most appropriate controls to reduce the risks to the organization is advisable. For example, risk can be assumed or reduced to an acceptable level, risk can be avoided by removing the cause, and risk can be transferred by using other options that compensate, such as purchasing insurance. The security team should work closely with the appropriate teams in the decision-making process on the most suitable mitigation options for each identified risk.
7. Benchmark
The next step is to benchmark the resulting application against industry standards to deliver a security scorecard. This allows executives to determine whether the security integration efforts are in line with industry averages and where there are gaps to improve. Many phases can be benchmarked and will correspond to one or more of the security criteria relevant to the organization. These include:

• NIST SP 800-30 guidelines


• Open Web Application Security Project (OWASP) guidelines


• BS 7799 guidelines


• The Gramm-Leach-Bliley Act


• The Health Insurance Portability and Accountability Act (HIPAA)


• The Sarbanes-Oxley Act


• California SB 1386

Benchmarking for internal improvements is only one step. Doing security benchmarking against other similar programs within an organization's specific vertical industry is another measurement to consider.
8. Maintenance phase: Maintain
In order to maintain the strong security posture established, it's important to consider employing periodic security checks of all critical applications and controls. Securing an application is adequate for that moment in time, but new risks are introduced every day that could affect its security.
While network security is one layer of defense and protection, critical systems and sensitive information are still vulnerable to software application flaws, insider breaches and inadequate protection. With real-world testing across large enterprises and multiple industries, serious flaws are often found in most software, both custom and popular third-party applications. As such, it is critical for companies to integrate security into the application development life cycle to ensure applications are properly protected against external and internal threats.
Ruby Qurashi is vice president of MCI NetSec, a provider of managed security services.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"A video is making the rounds showing how Vista SP1 has significantly improved Vista's immensely annoying User Account Control (UAC)...." Read more... "So are you getting excited about a nice, long weekend for Memorial Day? Well, before you start cooking hot dogs..." Read more... Read more Security posts or See all Blogs

Mozilla launches Firefox 3.0 RC1 early Microsoft: Don't misunderstand UAC, other Vista features HP confirms XP SP3 endless reboot snafu, promises patch More top stories...

Microsoft pulls Windows Home Server backup feature Yahoo tells Icahn that its own board knows best Tools circulate that crack Debian, Ubuntu keys

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this webcast, free, compilments of Webroot Software Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Securing Financial Services Beyond the Perimeter Intercept Spam & Viruses With MessageLabs Meeting PCI Compliance with SonicWALL Global Management System View more whitepapers