Free, Implementing Effective Vulnerability Remediation Strategies Within the Web Application Development Life-cycle

Once you’ve completed a security assessment as a part of your web application development, it’s time to go down the path of remediating all of the security problems you uncovered. At this point, your developers, quality assurance testers, auditors, and your security managers should all be collaborating closely to incorporate security into the current processes of your software development lifecycle in order to eliminate application vulnerabilities. And with your Web application security assessment report in hand, you probably now have a long list of security issues that need to be addressed: low, medium, and high application vulnerabilities; configuration gaffes; and cases in which business-logic errors create security risk. For a detailed overview on how to conduct a Web application security assessment, take a look at the first article in this series, Web Application Vulnerability Assessment: Your First Step to a Highly Secure Web Site.

Testing and Validation: Independently Make Sure Application Vulnerabilities Have Been Fixed

When the next phase of the web application development lifecycle is reached, and previously identified application vulnerabilities have (hopefully) been mended by the developers, it's time to verify the posture of the application with a reassessment, or regression testing. For this assessment, it's crucial that the developers aren't the only ones charged with assessing their own code. They already should have completed their verification. This point is worth raising, because many times companies make the mistake of allowing developers to test their own applications during the reassessment stage of the web application development lifecycle. And upon verification of progress, it is often found that the developers not only failed to fix flaws pegged for remediation, but they also have introduced additional application vulnerabilities and numerous other mistakes that needed to be fixed. That's why it's vital that an independent entity, whether an in-house team or an outsourced consultant, review the code to ensure everything has been done right.

Other Areas of Application Risk Mitigation

While you have full control over accessing your custom applications during web application development, not all application vulnerabilities can be fixed quickly enough to meet immovable deployment deadlines. And discovering a vulnerability that could take weeks to rectify in an application already in production is nerve-wracking. In situations like these, you won't always have control over reducing your Web application security risks. This is especially true for applications you purchase; there will be application vulnerabilities that go unpatched by the vendor for extended periods of time. Rather than operate at high levels of risk, we recommend that you consider other ways to mitigate your risks. These can include segregating applications from other areas of your network, limiting access as much as possible to the affected application, or changing the configuration of the application, if possible. The idea is to look at the application and your system architecture for other ways to reduce risk while you wait for the fix. You might even consider installing a web application firewall (a specially crafted firewall designed to secure web applications and enforce their security policies) that can provide you with a reasonable interim solution. While you can't rely on such firewalls to reduce all of your risks indefinitely, they can provide an adequate shield to buy you time while the web application development team creates a fix.

As you have seen, remedying web application vulnerabilities during the web application development lifecycle requires collaboration among your developers, QA testers, security managers, and application teams. The associated processes can seem laborious, but the fact is that by implementing these processes, you'll cost-effectively reduce your risk of application-level attacks. Web application development is complex, and this approach is less expensive than reengineering applications and associated systems after they're deployed into production. 

That's why the best approach to web application security is to build security awareness among developers and quality assurance testers, and to instill best practices throughout your Web application development life cycle - from its architecture throughout its life in production. Reaching this level of maturity will be the focus of the next installment, Effective Controls For Attaining Continuous Application Security. The third and final article will provide you with the framework you need to build a development culture that develops and deploys highly secure and available applications - all of the time.