Archive for November, 2011
Controls To Ensure Safety in The Development of Continuous Application Lifecycle of Web Applications
Given a choice, every organization wants to provide web sites and applications from development of Web applications all the way through the life cycle of software development. But since this is a challenge to achieve? The answer is in the process (or lack thereof) that is in place.
Although separate and special security assessments of web applications will certainly help improve the security of the site or web application, after all, is settled, changes in applications and newfound vulnerabilities mean new security problems arise. So, if you put in place security controls, as well as continuous quality control throughout the life cycle of software development, from initial development through application of production web, you can never achieve a high level of security, of course, it is necessary to keep the system safe from attack – and the cost associated with fixing security weaknesses continue to be high.
The first two articles we discussed many important elements that you need to know to perform safety assessments of web applications and how to fix this vulnerability assessment found. And if your organization is like most, the first two assessments of web applications is a nightmare: low susceptibility rim, medium and high are found and must be corrected by using the Web application development. This process requires that decisions are made about how to solve complex applications as quickly as possible, without prejudice to the system at work, or delay the application starts.
But the assessment is the first web-based applications, while painful, provides a wonderful learning experience to improve the software development life cycle. This article describes how to enable organizational controls in place to make this process as simple as possible and is an integral part of your web application development efforts. This brief review of the quality assurance processes and technologies needed to start developing applications reliably as possible from the start and keep them that way. Not surprisingly, more. No more delay deployment.
Make sure that the Web application development: people, processes and technology
Create highly secure applications began in the early stages of the life cycle of software development with the developer. That is why security applications embed knowledge through training, development of web applications is one of the first things that you want to do. Not only do you want your developers armed with the latest knowledge on how to write secure code – and how attackers exploit weaknesses – but I want them to know how important (and far more effective) is to consider Security is “the beginning. This awareness should not end with web application development team. This should include all those who played a role in the life cycle of software development: quality and security testing team, who need to know how to identify potential weaknesses security and IT management team, who need to understand how to invest organizational resources more effectively to develop security applications, and how to assess the critical technologies such as scanners, the successful application of Web security, Web application firewall, and set of tools for quality control.
Of awareness throughout the development lifecycle of web applications, built one of the most important controls necessary to ensure the security of web applications. Although training is required, you can not rely on it to build the system safely. That’s why training should be strengthened further controls and technologies. You must begin to implement the elements of the life cycle of software development, which is safe, or SDLC.
Secure important element in the software development life cycle
To ensure the development of the software life cycle shall have policies and procedures to consider – and implement – to provide web application development, from conception through functional and technical requirements definition, design, coding, testing, quality, and, living in a real application. Developers must be trained to incorporate security best practices and checklists in their work: they tested their filtering database queries, or verify the proper handling input? This application was designed to be compatible with best practice programming? This application will abide by rules such as HIPAA and PCI DSS? Putting these types of procedures that will significantly enhance security during web application development process. After the developer controls the input field and search for the most common programming errors, such as written statements and make an assessment of future applications to flow much more smoothly.
While developers must test and evaluate the safety of their use are being developed, the next most important test of the process of software development life cycle comes after the Web application development has been completed. This is when all the application or module, ready for shipment to the stage of formal experiments to be performed to ensure quality and safety adviser. And during the life cycle phases of software development and quality testers, in addition to its traditional tasks, that performance and functional requirements are satisfied, pay attention to potential security problems.
The company made a mistake at this stage does not include members of the IT security team in the process. And, “We believe that computer security should have input throughout the life cycle of software development, fearing that the security problems in the region after the process of developing web applications – and what may be a small problem right now is a big problem.
Establishing such a process difficult job, and it may seem expensive at first glance. But the reality is that the record could be enormous: Your application will be safer, and safety assessment of the future, you’ll feel like a fire drill. There is a model of software development life cycle and techniques that can help you directly, for example, an application Security Assurance Program (ASAP), which raises a number of guidelines in place to build a secure code, including the Executive’s commitment to the security account from the outset application development Web-based applications and metrics for coding and process improvements over time. A good introduction to the software development lifecycle security Michael Howard and Steve Lipner (Microsoft Press, 2006).
As technology allows you to implement and maintain a secure SDLC
Human nature is what it is, people tend to slip back into their old sloppy way, if the new behavior (software development life cycle process we mentioned above) does not apply. That’s where technology can play a role. Not only the right tools to automate and ensure the safety assessment process of coding, but also can help keep it on the basis of development of web applications is required for success.
As mentioned in the first part of this series, at least, you’ll need a web application security scanner to assess your custom business and you buy the software. Depending on the size of your web application development team, and how many applications you are running at any given time, you will need to consider other tools that will enhance the process of software development life cycle. For example, tools, and quality assurance are available that integrate directly into application performance and quality control programs that already use a lot of organizations such as IBM and HP. With the integration of safety and quality of performance testing, quality assurance team can manage both functional testing and security from a single platform.
Basic enact (Keep It Simple, but in the early days)
Now that safety training on site, and you have a consistent, web application development methodology that safely, as well as assessment tools and development needs is a good time to start measuring your progress.
First, all changes in the life cycle of software development you will find it annoying and time consuming. Thus, executives and managers, and Web application development team and auditors, will certainly want to see the results of all new jobs that have been posted. Everyone will want the parameters and initial conditions: our software more secure? They are the developers coding better? The only way to answer these questions to begin to measure progress. But, at the very beginning not to fall into the trap of measuring too much.
A few days before the release of the software life cycle development process in place, we strongly recommend that you keep these simple steps. Not overloaded with too many types of monitoring vulnerabilities. In fact, you probably do not want to track and groping with each class of vulnerabilities as well. We’ve seen this mistake many times, companies are trying to fix the vulnerabilities found in every part of the software development life cycle of the Big Bang. Then, at the end of the year, finishing with a dozen truly vulnerable applications, but money is not there to fix things that need to be resolved. They end up scrambling, depression, and not in place. This is not the way to do it.
That is why, at the very beginning, we learn that a significant – and affordable – approach to Web application development process to determine which is the vulnerability of the most common and serious. If you enter a SQL-injection or logical errors, which can provide unauthorized access to applications, then this is your initial goal. Select the most important vulnerabilities that will be essential, in accordance with the assessment and the nature and business systems. This vulnerability will be submitted to be tracked during their march toward extinction (at least in the appendix).
After the development of Web applications, the team used for the formation of certain classes of vulnerabilities, you can add the next most recent (or two) to a mixture of vulnerability. Slowing the addition of a new class of vulnerabilities in the formal process of software development life cycle, you will be able to solve any problems or kinks in the process. And your team to develop web-based applications are becoming more accustomed to the process. There will be big hits, and over the months and years, you will see a significant improvement over the first reference value.
Placing important elements of management and technology described in this article are currently on the way to develop web applications that are always protected. Your gift will be the process of software development life cycle, which works much more smoothly and efficiently, you catch the problem early in the design process, so that the rules of the audit will be more fluid. And we have significantly reduced the possibility of a successful attack against the website.Tags: application development efforts, continuous quality control, quality assurance processes, software development life cycle, web application development
After completing the safety assessment as part of the development of web applications, it is time to follow the path of development of the security problems found. At this point, developers, testers quality, auditors and security managers must work together closely to integrate security into the lifecycle of software development to eliminate application vulnerabilities. And your relationship with your web application security assessment in hand, you can now have a long list of security issues that must be overcome: the vulnerability of applications for low, medium and high, the configuration of anomalies, and cases where the business logic errors compromise. For a detailed description of how to manage Web application security assessment, see the first paper of this series, web application vulnerability assessment: Your first step on the way to secure Web sites.
First: Classify your application vulnerabilities and priorities
The first stage of the process of improving the development of Web applications is the classification and prioritization, and that everything must be completed in your application or website. From a high level, there are two classes of application vulnerabilities: development errors and configuration errors. As the name suggests, the development of web applications vulnerabilities are those that arise through the interpretation and application coding. This is a problem that in real code, or workflow applications, the developer will face. Often, but not always, these types of errors can take more thought, time and resources to fix. Configuration errors, those that require system settings to change, the service should be disabled, and so on. Depending on how your organization is structured, application vulnerabilities may or may not be handled by the developer. They can often be controlled by the application or infrastructure. In any case, configuration errors can, in many cases will be selected as quickly.
At this point in web development and reconstruction process, it’s time to prioritize the vulnerability of all technical and business logic can be found in the assessment. In this simple process, you first list your most important application vulnerabilities with the greatest potential adverse impact on critical systems for the organization, and then list other application vulnerabilities in descending order based on risk and business impact.
Develop a plan to achieve the reclamation
Once an application vulnerabilities have been divided into categories and priorities for the next step in the development of Web applications, to estimate how long it would take to implement improvements. If you are not familiar with web application development and review cycle, it’s a good idea to bring developers to discuss the matter. Do not be too detailed here. Idea is to get an idea of how long it takes, and get a reclamation works carried out on the basis of application vulnerabilities in terms of time and the first critic. Time, or difficulty estimates, can be as simple as light, medium and hard. And the recovery will begin not only with the application vulnerabilities that is the biggest risk, but also those who have more time to the correct time. For example, began to fix the vulnerability of a complex application that can take a long time for the first time, and wait for it to work on half a dozen defects that can be recovered in the afternoon. After this process, the development of Web applications that do not fall into the trap, subject to development time, or delay in starting the application, because it took longer than expected to address all safety-related defects.
This process also provides a very good observation for auditors and developers during web application development: you now have a map to reach the road and track. And this development will reduce security holes, making the passage of current development.
It should be noted that any company-logic problems identified during the assessment should be carefully considered when developing a web application priorities. Many times, because you have to do with logic – as in fact the use of threads – you want to carefully consider how application vulnerabilities that need to be resolved. What may seem like a simple solution can be very complicated. Therefore, we recommend that you work together with developers, security teams and consultants to develop the best business-logic error correction routine possible, and to estimate how long it will take to fix it.
In addition, priorities and vulnerability classification application for restoration of web development, in which counselors can play an important role in helping your organization to take the path of success. Some companies find it more convenient to have a security consultant to provide several hours of troubleshooting tips for application vulnerabilities, this advice often shaves hundreds of hours of restorative processes during the development of Web applications.
One of the pitfalls to avoid when using consultants during web application development, however, the inability to set proper expectations. While many consultants will provide a list of application vulnerabilities that are in need of repair, often neglected to provide the information necessary for the organization on how to solve this problem. It is important to set expectations with your experts, whether internal or external, to provide detailed information on how to fix security flaws. The problem, however, without the proper detail, education, and guidance in that the developers who created the vulnerable code during the development cycle for web applications may not know how to solve the problem. It is for this reason that application security consultant available to developers, or members of your team’s safety, it is important to ensure that they are going down the right path. Thus, the Web application development time and security issues remain outstanding.
Testing and Verification: by yourself, then just application vulnerabilities have been corrected
When is the next stage of the development cycle for web applications is reached, and the previously identified application vulnerabilities have (hopefully), defined by developers, it’s time to check the location of a revaluation, or regression testing. For this assessment, it is important that developers are not only responsible for evaluating their own code. They must complete the test. Worth of funds, because many times companies make the mistake of allowing developers to test their applications for re-cycle web applications development. And the monitoring of progress, it often turns out that the developer has not only failed to correct the defect is bound to improve, but also introduces additional vulnerability of applications and many other errors that need to be repaired. That is why it is important that an independent body, either in their own group or sent to the consultants, the review of code to make sure that everything is done correctly.
Another area of risk reduction
While you have complete control over access custom applications during web application development, not all the vulnerabilities of an application can be completed quickly enough to meet the deadline for implementing the real estate. And find a vulnerability, which can take several weeks to fix the applications already in production badly. In such situations, there will always be under control by reducing the risks to the security of web applications. This is especially true for applications that are purchased will not be application vulnerabilities that go obsolete by the seller for a long time. Instead of working at a high level of risk, you should consider other ways to reduce risk. This may be a separate application from other areas of the network, limiting access to the application may be affected, or change the configuration of the application, if possible. The idea is to look at the application and system architecture for other ways to reduce risk, while you are waiting for correction. You might also consider installing a Web application firewall (firewall made specifically designed to protect web applications and implement its security policy), which may provide a temporary reasonable accommodation. While you can not rely on such firewalls to reduce the risk for an indefinite period of time may provide an adequate shield to buy time to create web application development team to improve.
As you can see, the fight against vulnerabilities of Web applications during the development cycle of Web applications requires collaboration between developers, QA testers, security, and command applications. The processes associated with it may seem tedious, but the reality is that by applying this process, you reduce the risk of cost-effective application-level attacks. Development of complex web applications, and this approach is more expensive than reengineering applications and related systems after they have been used in production.Tags: logic errors, web application development, web application security, web application security assessment, workflow applications
There are moments in the history of personal computer firewall and antivirus software is no longer needed and requested. Today, personal computer security is not only threatened by viruses and worms, and spyware – very annoying programs that are illegally loaded onto your computer from the Internet. Spyware can significantly reduce operational structure of the computer, and make you vulnerable to identity theft and other criminal activities. Firewall has long been a staple in the corporate world for great defense, intranet or other internal networks are expensive, have come into its own as a tool for owners of personal computers as well. Computers at home are just as likely – if not more – for online scams, so why should they not be protected?
What is a firewall, anyway?
For those of you who can not be regarded as some of the language in computer security, we offer here is pretty simple definition. A firewall is a set of security programs that act to prevent unauthorized users from accessing a specific network (or a computer). Most firewalls also monitor and report the complete transfer of data between the Internet and the environment. Thus, it is very effective under your computer or network is safe, allowing you to access the Internet without a high security risk.
Sygate Personal Firewall
There are several firewall vendors are very honest, and Sygate, certainly one of them. Here we discuss some features of Sygate firewall line, so you can choose the best one for your PC or server.
Sygate currently offers two main personal firewalls: Sygate Personal Firewall (SPF) and Sygate Personal Firewall Plus (SPFP). The main difference between them lies in the advanced features you will find only on SPFP. With the Plus version, you will receive support from the VPN, intrusion detection systems (IDS), an active response, and anti-Mac, against spoofing the source address. Both versions of the software supplied with the material, which every PC user really need to make sure that they have: configure the firewall “applications” principal, security alarm systems, intruder tracking and security. This characteristic is what is really needed for a firewall to protect your home computer. The firewall should be able to block access to your computer, and they should notify you when the attack was an attempt (or continued). Given that the SPF is essentially free to download, and contains items that you really need is an application which is recommended for home users. For networks of small businesses, more advanced features offered by the Sygate Personal Firewall Plus, is definitely worth $ 40.00 price tag. The second option is a solid firewall and can be trusted to perform very well in almost any system.
Norton Personal Firewall
Sygates nearest competition in the personal firewall is Norton. Norton anti-virus famous, and largely taken the brand over the past ten years. Although less well known, the program offers homeowners a Norton firewall powerful PCs, and complete. Norton Personal Firewall 2005, the program is similar to Sygate Personal Firewall, mentioned above. Some features of this application is clear from the Norton Privacy Control (which keeps information from being sent without your knowledge in email, instant messages, attachments, MS Office, as well as various forms on the Internet, as you enter your credit card number) and intrusion prevention, which automatically blocks suspicious incoming traffic (hackers, etc.). If this product is not as well designed and built as Norton anti-virus, then it is definitely worth it, worth a look. This software can be downloaded or ordered online for $ 49.Tags: firewall vendors, history of personal computer, intrusion detection systems, personal computer security, personal firewall
Web sites receive more than one million dollars last year. Business is booming, and people buy from you. We intend to expand its product line, is also expanding the services offered. Then it happened. At the entrance to the site one morning, you will see, announces to the world that your site has been hacked. Buyers stopped buying, even the most loyal customers take their business elsewhere.
People complain that they were redirected to another site that linked his anti-virus software off. Before you know it, said people who used to its customers by claiming that your negligence caused their credit card transaction fraud, or weakness of the security of the site has resulted in the theft of confidential information.
Although this extreme scenario, which is very possible. And not just hacking attacks of headache that can occur when you start e-commerce sites. You can easily fall victim to denial of service attack or virus infection. In both cases, ignoring the security of your system or website is a sure way to invite trouble.
The fact that your site will have a less secure application. Web applications accounted for 54% of all the exploited vulnerabilities discovered per unit of IBM Internet Security Systems for in 2008. Worse, it seems that the providers web-based applications tend not to do something. Disk IBM also revealed that almost three-quarters of all known vulnerabilities found in Web applications, there is no patch available.
And the possibility of hackers to target sites is high. In fact, hackers are likely to attempt to enter the website, and not strong and active network security, because security is weaker on the site.
Beef Up Your E-Commerce Security
Payment Card Industry Data Security Standard to show two things to create a biography of e-commerce sufficiently protected. One is to consider all the code on your website or application. This can be a lengthy process and often involves a third party security company, which may or may not do a good job of crawling your site, network and applications for vulnerabilities. Moreover, you pay a fee to identify vulnerabilities, and other charges for code generation really great.
The easiest way
Another to install and run a Web application firewall can scan all incoming packets are adequate data to your website. The firewall is configured carefully for Web applications efficiently and to prevent hacking attempts, virus infection and other potential malicious attacks on your Web site. For more information about the types of hacker attacksTags: anti virus software, credit card transaction, extreme scenario, internet security systems, one million dollars