After completing the safety assessment as part of the development of web applications, it is time to follow the path of development of the security problems found. At this point, developers, testers quality, auditors and security managers must work together closely to integrate security into the lifecycle of software development to eliminate application vulnerabilities. And your relationship with your web application security assessment in hand, you can now have a long list of security issues that must be overcome: the vulnerability of applications for low, medium and high, the configuration of anomalies, and cases where the business logic errors compromise. For a detailed description of how to manage Web application security assessment, see the first paper of this series, web application vulnerability assessment: Your first step on the way to secure Web sites.
First: Classify your application vulnerabilities and priorities
The first stage of the process of improving the development of Web applications is the classification and prioritization, and that everything must be completed in your application or website. From a high level, there are two classes of application vulnerabilities: development errors and configuration errors. As the name suggests, the development of web applications vulnerabilities are those that arise through the interpretation and application coding. This is a problem that in real code, or workflow applications, the developer will face. Often, but not always, these types of errors can take more thought, time and resources to fix. Configuration errors, those that require system settings to change, the service should be disabled, and so on. Depending on how your organization is structured, application vulnerabilities may or may not be handled by the developer. They can often be controlled by the application or infrastructure. In any case, configuration errors can, in many cases will be selected as quickly.
At this point in web development and reconstruction process, it’s time to prioritize the vulnerability of all technical and business logic can be found in the assessment. In this simple process, you first list your most important application vulnerabilities with the greatest potential adverse impact on critical systems for the organization, and then list other application vulnerabilities in descending order based on risk and business impact.
Develop a plan to achieve the reclamation
Once an application vulnerabilities have been divided into categories and priorities for the next step in the development of Web applications, to estimate how long it would take to implement improvements. If you are not familiar with web application development and review cycle, it’s a good idea to bring developers to discuss the matter. Do not be too detailed here. Idea is to get an idea of how long it takes, and get a reclamation works carried out on the basis of application vulnerabilities in terms of time and the first critic. Time, or difficulty estimates, can be as simple as light, medium and hard. And the recovery will begin not only with the application vulnerabilities that is the biggest risk, but also those who have more time to the correct time. For example, began to fix the vulnerability of a complex application that can take a long time for the first time, and wait for it to work on half a dozen defects that can be recovered in the afternoon. After this process, the development of Web applications that do not fall into the trap, subject to development time, or delay in starting the application, because it took longer than expected to address all safety-related defects.
This process also provides a very good observation for auditors and developers during web application development: you now have a map to reach the road and track. And this development will reduce security holes, making the passage of current development.
It should be noted that any company-logic problems identified during the assessment should be carefully considered when developing a web application priorities. Many times, because you have to do with logic – as in fact the use of threads – you want to carefully consider how application vulnerabilities that need to be resolved. What may seem like a simple solution can be very complicated. Therefore, we recommend that you work together with developers, security teams and consultants to develop the best business-logic error correction routine possible, and to estimate how long it will take to fix it.
In addition, priorities and vulnerability classification application for restoration of web development, in which counselors can play an important role in helping your organization to take the path of success. Some companies find it more convenient to have a security consultant to provide several hours of troubleshooting tips for application vulnerabilities, this advice often shaves hundreds of hours of restorative processes during the development of Web applications.
One of the pitfalls to avoid when using consultants during web application development, however, the inability to set proper expectations. While many consultants will provide a list of application vulnerabilities that are in need of repair, often neglected to provide the information necessary for the organization on how to solve this problem. It is important to set expectations with your experts, whether internal or external, to provide detailed information on how to fix security flaws. The problem, however, without the proper detail, education, and guidance in that the developers who created the vulnerable code during the development cycle for web applications may not know how to solve the problem. It is for this reason that application security consultant available to developers, or members of your team’s safety, it is important to ensure that they are going down the right path. Thus, the Web application development time and security issues remain outstanding.
Testing and Verification: by yourself, then just application vulnerabilities have been corrected
When is the next stage of the development cycle for web applications is reached, and the previously identified application vulnerabilities have (hopefully), defined by developers, it’s time to check the location of a revaluation, or regression testing. For this assessment, it is important that developers are not only responsible for evaluating their own code. They must complete the test. Worth of funds, because many times companies make the mistake of allowing developers to test their applications for re-cycle web applications development. And the monitoring of progress, it often turns out that the developer has not only failed to correct the defect is bound to improve, but also introduces additional vulnerability of applications and many other errors that need to be repaired. That is why it is important that an independent body, either in their own group or sent to the consultants, the review of code to make sure that everything is done correctly.
Another area of risk reduction
While you have complete control over access custom applications during web application development, not all the vulnerabilities of an application can be completed quickly enough to meet the deadline for implementing the real estate. And find a vulnerability, which can take several weeks to fix the applications already in production badly. In such situations, there will always be under control by reducing the risks to the security of web applications. This is especially true for applications that are purchased will not be application vulnerabilities that go obsolete by the seller for a long time. Instead of working at a high level of risk, you should consider other ways to reduce risk. This may be a separate application from other areas of the network, limiting access to the application may be affected, or change the configuration of the application, if possible. The idea is to look at the application and system architecture for other ways to reduce risk, while you are waiting for correction. You might also consider installing a Web application firewall (firewall made specifically designed to protect web applications and implement its security policy), which may provide a temporary reasonable accommodation. While you can not rely on such firewalls to reduce the risk for an indefinite period of time may provide an adequate shield to buy time to create web application development team to improve.
As you can see, the fight against vulnerabilities of Web applications during the development cycle of Web applications requires collaboration between developers, QA testers, security, and command applications. The processes associated with it may seem tedious, but the reality is that by applying this process, you reduce the risk of cost-effective application-level attacks. Development of complex web applications, and this approach is more expensive than reengineering applications and related systems after they have been used in production.Tags: logic errors, web application development, web application security, web application security assessment, workflow applications