| Once you've completed a security assessment as a | | | | effective to have a security consultant provide a few |
| part of your web application development, it's time to | | | | hours of advice on how to remedy application |
| go down the path of remediating all of the security | | | | vulnerabilities; this advice often shaves hundreds of |
| problems you uncovered. At this point, your | | | | hours from the remediation process during web |
| developers, quality assurance testers, auditors, and | | | | application development. |
| your security managers should all be collaborating | | | | One of the pitfalls you want to avoid when using |
| closely to incorporate security into the current | | | | consultants during web application development, |
| processes of your software development lifecycle in | | | | however, is failure to establish proper expectations. |
| order to eliminate application vulnerabilities. And with | | | | While many consultants will provide a list of application |
| your Web application security assessment report in | | | | vulnerabilities that need to be fixed, they often neglect |
| hand, you probably now have a long list of security | | | | to provide the information that organizations need on |
| issues that need to be addressed: low, medium, and | | | | how to remedy the problem. It's important to establish |
| high application vulnerabilities; configuration gaffes; and | | | | the expectation with your experts, whether in-house or |
| cases in which business-logic errors create security | | | | outsourced, to provide details on how to fix security |
| risk. For a detailed overview on how to conduct a | | | | defects. The challenge, however, without the proper |
| Web application security assessment, take a look at | | | | detail, education, and guidance, is that the developers |
| the first article in this series, Web Application | | | | who created the vulnerable code during the web |
| Vulnerability Assessment: Your First Step to a Highly | | | | application development cycle may not know how to |
| Secure Web Site. | | | | fix the problem. That's why having that application |
| First Up: Categorize and Prioritize Your Application | | | | security consultant available to the developers, or one |
| Vulnerabilities | | | | of your security team members, is critical to make |
| The first stage of the remediation process within web | | | | sure they're going down the right path. In this way, your |
| application development is categorizing and prioritizing | | | | web application development timelines are met and |
| everything that needs to be fixed within your | | | | security problems are fixed. |
| application, or Web site. From a high level, there are | | | | Testing and Validation: Independently Make Sure |
| two classes of application vulnerabilities: development | | | | Application Vulnerabilities Have Been Fixed |
| errors and configuration errors. As the name says, | | | | When the next phase of the web application |
| web application development vulnerabilities are those | | | | development lifecycle is reached, and previously |
| that arose through the conceptualization and coding of | | | | identified application vulnerabilities have (hopefully) been |
| the application. These are issues residing within the | | | | mended by the developers, it's time to verify the |
| actual code, or workflow of the application, that | | | | posture of the application with a reassessment, or |
| developers will have to address. Often, but not always, | | | | regression testing. For this assessment, it's crucial that |
| these types of errors can take more thought, time, and | | | | the developers aren't the only ones charged with |
| resources to remedy. Configuration errors are those | | | | assessing their own code. They already should have |
| that require system settings to be changed, services | | | | completed their verification. This point is worth raising, |
| to be shut off, and so forth. Depending on how your | | | | because many times companies make the mistake of |
| organization is structured, these application | | | | allowing developers to test their own applications |
| vulnerabilities may or may not be handled by your | | | | during the reassessment stage of the web application |
| developers. Oftentimes they can be handled by | | | | development lifecycle. And upon verification of |
| application or infrastructure managers. In any event, | | | | progress, it is often found that the developers not only |
| configuration errors can, in many cases, be set straight | | | | failed to fix flaws pegged for remediation, but they |
| swiftly. | | | | also have introduced additional application vulnerabilities |
| At this point in the web application development and | | | | and numerous other mistakes that needed to be fixed. |
| remediation process, it's time to prioritize all of the | | | | That's why it's vital that an independent entity, whether |
| technical and business-logic vulnerabilities uncovered in | | | | an in-house team or an outsourced consultant, review |
| the assessment. In this straightforward process, you | | | | the code to ensure everything has been done right. |
| first list your most critical application vulnerabilities with | | | | Other Areas of Application Risk Mitigation |
| the highest potential of negative impact on the most | | | | While you have full control over accessing your |
| important systems to your organization, and then list | | | | custom applications during web application |
| other application vulnerabilities in descending order | | | | development, not all application vulnerabilities can be |
| based on risk and business impact. | | | | fixed quickly enough to meet immovable deployment |
| Develop an Attainable Remediation Roadmap | | | | deadlines. And discovering a vulnerability that could |
| Once application vulnerabilities have been categorized | | | | take weeks to rectify in an application already in |
| and prioritized, the next step in web application | | | | production is nerve-wracking. In situations like these, |
| development is to estimate how long it will take to | | | | you won't always have control over reducing your |
| implement the fixes. If you're not familiar with web | | | | Web application security risks. This is especially true |
| application development and revision cycles, it's a good | | | | for applications you purchase; there will be application |
| idea to bring in your developers for this discussion. | | | | vulnerabilities that go unpatched by the vendor for |
| Don't get too granular here. The idea is to get an idea | | | | extended periods of time. Rather than operate at high |
| of how long the process will take, and get the | | | | levels of risk, we recommend that you consider other |
| remediation work underway based on the most | | | | ways to mitigate your risks. These can include |
| time-consuming and critical application vulnerabilities first. | | | | segregating applications from other areas of your |
| The time, or difficulty estimates, can be as simple as | | | | network, limiting access as much as possible to the |
| easy, medium, and hard. And remediation will begin not | | | | affected application, or changing the configuration of |
| only with the application vulnerabilities that pose the | | | | the application, if possible. The idea is to look at the |
| greatest risk, but those that also will take the longest to | | | | application and your system architecture for other |
| time correct. For instance, get started on fixing | | | | ways to reduce risk while you wait for the fix. You |
| complex application vulnerabilities that could take | | | | might even consider installing a web application firewall |
| considerable time to fix first, and wait to work on the | | | | (a specially crafted firewall designed to secure web |
| half-dozen medium defects that can be rectified in an | | | | applications and enforce their security policies) that can |
| afternoon. By following this process during web | | | | provide you a reasonable interim solution. While you |
| application development, you won't fall into the trap of | | | | can't rely on such firewalls to reduce all of your risks |
| having to extend development time, or delay an | | | | indefinitely, they can provide an adequate shield to buy |
| application rollout because it's taken longer than | | | | you time while the web application development team |
| expected to fix all of the security-related flaws. | | | | creates a fix. |
| This process also provides for excellent follow-up for | | | | As you have seen, remedying web application |
| auditors and developers during web application | | | | vulnerabilities during the web application development |
| development: you now have an attainable road map to | | | | lifecycle requires collaboration among your developers, |
| track. And this progression will reduce security holes | | | | QA testers, security managers, and application teams. |
| while making sure development flows smoothly. | | | | The associated processes can seem laborious, but the |
| It's worth pointing out that that any business-logic | | | | fact is that by implementing these processes, you'll |
| problems identified during the assessment need to be | | | | cost-effectively reduce your risk of application-level |
| carefully considered during the prioritization stage of | | | | attacks. Web application development is complex, and |
| web application development. Many times, because | | | | this approach is less expensive than reengineering |
| you're dealing with logic - the way the application | | | | applications and associated systems after they're |
| actually flows - you want to carefully consider how | | | | deployed into production. |
| these application vulnerabilities are to be resolved. | | | | That's why the best approach to web application |
| What may seem like a simple fix can turn out to be | | | | security is to build security awareness among |
| quite complicated. So you'll want to work closely with | | | | developers and quality assurance testers, and to instill |
| your developers, security teams, and consultants to | | | | best practices throughout your Web application |
| develop the best business-logic error correction routine | | | | development life cycle - from its architecture |
| possible, and an accurate estimate of how long it will | | | | throughout its life in production. Reaching this level of |
| take to remedy. | | | | maturity will be the focus of the next installment, |
| In addition, prioritizing and categorizing application | | | | Effective Controls For Attaining Continuous Application |
| vulnerabilities for remediation is an area within web | | | | Security. The third and final article will provide you with |
| application development in which consultants can play | | | | the framework you need to build a development |
| a pivotal role in helping lead your organization down a | | | | culture that develops and deploys highly secure and |
| successful path. Some businesses will find it more cost | | | | available applications - all of the time. |