Free, Effective Controls for Attaining Continuous Application Security Throughout the Web Application Development Life-cycle

Given the choice, every organization would want secure Web sites andapplications from the Web application development phase all the way through thesoftware development life-cycle. But why is that such a challenge to attain?The answer is in the processes (or lack thereof) that they have in place.

Put Baselines in Place (But Keep it Simple in the Early Days)

Now that security training is in place, and you have consistent, secure Web application development methodologies, along with the assessment and development tools you need, it's a good time to start measuring your progress.

At first, all of these changes in your software development life-cycle processes will feel disruptive and time consuming. So, executives and managers, as well as the Web application development team and auditors, are certainly going to want to see results from all the new work that they've put in place. Everyone will want metrics and baselines: Are our applications more secure? Are developers coding better? The only way to answer these questions is to start measuring progress. But, in the beginning, don't fall into the trap of measuring too much.

In the initial days of putting software development life-cycle processes in place, we strongly advise that you keep the measurements simple. Do not get overwhelmed with tracking too many types of vulnerabilities. In fact, you probably don't want to try to track and extinguish every class of vulnerability at once. We've seen this mistake made many times: enterprises try to fix vulnerabilities discovered in every part of the software development life-cycle in a big bang. Then, at the end of a year, they end up with a dozen completely vulnerable applications, and with no money in place to fix everything that needs to be fixed. They end up scrambling, disheartened, and getting nowhere. That's not the way to do it.

That's why, in the beginning, we've learned that a sensible - and attainable - approach to securing the Web application development process is to decide which are your most prevalent and severe vulnerabilities. If they include SQL Injection or logic errors that could provide unauthorized access to an application, then that's your initial focus. Pick the most critical vulnerabilities that will make significant differences, based on your assessment and the nature of your systems and business. These will be the first vulnerabilities you want to track during their march to extinction (at least from within your applications).

Once your Web application development team gets used to the process of fixing certain classes of vulnerabilities, you can add the next most pressing class (or two) of vulnerabilities to the mix. By slowing adding new classes of vulnerabilities into your formal software development life-cycle processes, you will have the opportunity to smooth any problems or kinks in the process. And your Web application development teams will grow increasingly accustomed to the process. There'll be no big shocks, and over the course of months, and years, you'll see dramatic improvement over your first few baselines.

By putting into place the essential controls and technologies outlined in this article, you're now well on the pathway to Web application development that is consistently secure. Your reward will be a software development life-cycle process that will flow much more smoothly and cost effectively; you'll have caught problems early in the development process, so your regulatory audits will flow more smoothly. And you'll have greatly reduced the chances of a successful attack against your Web sites.