Free, Effective Controls for Attaining Continuous Application Security Throughout the Web Application Development Life-cycle

Given the choice, every organization would want secure Web sites andapplications from the Web application development phase all the way through thesoftware development life-cycle. But why is that such a challenge to attain?The answer is in the processes (or lack thereof) that they have in place.

Essential Elements of Secure Software Development Life-cycle Processes

A secure software development life-cycle means having the policies and procedures in place that consider - and enforce - secure Web application development from conception through defining functional and technical requirements, design, coding, quality testing, and while the application lives in production. Developers must be trained to incorporate security best practices and checklists in their work: Have they checked their database query filtering, or validated proper input handling?  Is the application being developed to be compliant with best programming practices? Will the application adhere to regulations, such as HIPAA or PCI DSS? Putting these types of procedures in place will dramatically improve security during the Web application development process. Having developers checked field inputs and looked for common programming mistakes as the application is being written also will make future application assessments flow much more smoothly.

While developers need to test and assess the security of their applications as they're being developed, the next major test of the software development life-cycle processes comes after the Web application development is completed. This is when the entire application, or a module, is ready to be sent to the formal testing phase that will be conducted by quality assurance and security assessors. It's during this phase of the software development life-cycle that quality assurance testers, in addition to their typical tasks of making sure performance and functional requirements are met, look for potential security problems.

Many companies make the mistake, during this phase, of not including members of the IT security team in this process. It's our opinion that IT security should have input throughout the software development life-cycle, lest a security issue surface later in the Web application development process - and what could have been a small problem is now a big problem.

Putting these types of processes in place is difficult work, and may seem onerous at first. But the truth is that the payoff can be huge: your applications will be more secure and your future security assessments won't feel like fire drills. There are software development life-cycle models and methodologies that could help direct you, such as the Application Security Assurance Program (ASAP), which puts a number of guiding principles in place necessary for building secure code, including executive commitment, considering security from the beginning of Web application development, and the adoption of metrics to measure coding and process improvements over time. A good primer is The Security Development Life-cycle by Michael Howard and Steve Lipner (Microsoft Press, 2006).

How Technology Helps Enforce and Maintain the Secure SDLC

Human nature being what it is, people tend to slip back into their old sloppy ways if new behaviors (the software development life-cycle processes we discussed earlier) are not enforced. That's where technology can play a role. The right tools not only help to automate the security assessment and secure coding process; they also can help keep in place the Web application development framework necessary for success.

As discussed in the first article of this series, at the very minimum you'll need a Web application security scanner to assess your custom-built as well as your commercially-acquired software. Depending on the size of your Web application development team, and how many applications you're working on at any given time, you'll want to consider other tools that will improve your software development life-cycle processes as well. For instance, quality and assurance tools are available that integrate directly into application performance and quality testing programs that many organizations already use, such as those from IBM and HP. With this integration of security into quality and performance testing, quality assurance teams can concurrently manage functional and security testing from a single platform.