| How secure are your Web applications? Unless you | | | | has been sent to production. |
| conduct application vulnerability testing throughout the | | | | There's only one way to ensure that your applications |
| lifespan of your applications, there's no way for you to | | | | are secure, compliant, and can be managed |
| know about your web application security. That's not | | | | cost-effectively, and that's to adapt a lifecycle |
| good news for your security or regulatory compliance | | | | approach to web application security. |
| efforts. | | | | The Web Application Security Lifecycle |
| Companies make significant investments to develop | | | | Web applications need to start secure to stay secure. |
| high-performance Web applications so customers can | | | | In other words, they should be built using secure coding |
| do business whenever and wherever they choose. | | | | practices, go through a series of QA and application |
| While convenient, this 24-7 access also invites criminal | | | | vulnerability testing, and be monitored continually in |
| hackers who seek a potential windfall by exploiting | | | | production. This is known as the web application |
| those very same highly available corporate | | | | security lifecycle. |
| applications. | | | | Remedying security problems during the development |
| The only way to succeed against Web application | | | | process via application vulnerability testing isn't |
| attacks is to build secure and sustainable applications | | | | something that can be achieved immediately. It takes |
| from the start. Yet, many businesses find they have | | | | time to integrate security into the various stages of |
| more Web applications and vulnerabilities than security | | | | software development. But any organization that has |
| professionals to test and remedy them - especially | | | | undertaken other initiatives, such as implementing the |
| when application vulnerability testing doesn't occur until | | | | Capability Maturity Model (CMM) or even undergoing a |
| after an application has been sent to production. This | | | | Six Sigma program, knows that the effort is worth it |
| leads to applications being very susceptible to attack | | | | because systematized application vulnerability testing |
| and increases the unacceptable risk of applications | | | | processes provide better results, more efficiency, and |
| failing regulatory audits. In fact, many forget that | | | | cost savings over time. |
| compliance mandates like Sarbanes-Oxley, the Health | | | | Fortunately, application assessment and security tools |
| Insurance Portability and Accountability Act, | | | | are available today that will help you to get there - |
| Gramm-Leach-Bliley, and European Union privacy | | | | without slowing project schedules. But, in order to |
| regulations, all require demonstrable, verifiable security, | | | | strengthen development throughout the application life |
| especially where most of today's risk exists - at the | | | | cycle, it's essential to pick application vulnerability testing |
| Web application level. | | | | tools that aid developers, testers, security |
| In an attempt to mitigate these risks, companies use | | | | professionals, and application owners and that these |
| firewalls and intrusion detection/prevention technologies | | | | toolsets integrate tightly with popular IDEs, such as |
| to try to protect both their networks and applications. | | | | Eclipse and Microsoft's Visual Studio.NET for |
| But these web application security measures are not | | | | developers. |
| enough. Web applications introduce vulnerabilities, which | | | | And just as standardization on development |
| can't be blocked by firewalls, by allowing access to an | | | | processes - such as RAD (rapid application |
| organization's systems and information. Perhaps that's | | | | development) and agile - brings development |
| why experts estimate that a majority of security | | | | efficiencies, saves time, and improves quality, it's clear |
| breaches today are targeted at Web applications. | | | | that strengthening the software development life cycle, |
| One way to achieve sustainable web application | | | | possessing the right security testing tools, and placing |
| security is to incorporate application vulnerability testing | | | | software security higher in the priority list are excellent |
| into each phase of an application's lifecycle - from | | | | and invaluable long-term business investments. |
| development to quality assurance to deployment - and | | | | What types of web application security tools should |
| continually during operation. Since all Web applications | | | | you look for? Most companies are aware of network |
| need to meet functional and performance standards | | | | vulnerability scanners, such as Nessus, that evaluate |
| to be of business value, it makes good sense to | | | | the infrastructure for certain types of vulnerabilities. But |
| incorporate web application security and application | | | | fewer are aware of application vulnerability testing and |
| vulnerability testing as part of existing function and | | | | assessment tools that are designed to analyze Web |
| performance testing. And unless you do this - test for | | | | applications and Web services for flaws specific to |
| security at every phase of each application's lifecycle - | | | | them, such as invalid inputs and cross-site scripting |
| your data probably is more vulnerable than you realize. | | | | vulnerabilities. These Web application security and |
| Neglecting Application Vulnerability Testing: Risks and | | | | vulnerability scanners are not only useful for |
| Costs of Poor Security | | | | custom-built applications but also to make sure that |
| Consider supermarket chain Hannaford Bros., which | | | | commercially acquired software is secure. |
| reportedly now is spending billions to bolster its IT and | | | | There are also web application security tools that help |
| web application security - after attackers managed to | | | | instill good security and quality control earlier and |
| steal up to 4.2 million credit and debit card numbers | | | | throughout development. For instance, these application |
| from its network. Or, the three hackers recently | | | | vulnerability testing tools help developers find and fix |
| indicted for stealing thousands of credit card numbers | | | | application vulnerabilities automatically while they code |
| by inserting packet sniffers on the corporate network | | | | their Web applications and Web services. There also |
| of a major restaurant chain. | | | | are quality inspection applications that help QA |
| The potential costs of these and related Web | | | | professionals incorporate Web application security and |
| application attacks add up quickly. When you consider | | | | application vulnerability testing into their existing |
| the expense of the forensic analysis of compromised | | | | management processes automatically. |
| systems, increased call center activity from upset | | | | It's also important to know that technology alone won't |
| customers, legal fees and regulatory fines, data breach | | | | get the job done. You need management support, too. |
| disclosure notices sent to affected customers, as well | | | | And no matter how large or small your development |
| as other business and customer losses, it's no surprise | | | | efforts, all stakeholders - business and application |
| that news reports often detail incidents costing | | | | owners, security, regulatory compliance, audit, and |
| anywhere from $20 million to $4.5 billion. The research | | | | quality assurance teams - should have a say from the |
| firm Forrester estimates that the cost of a security | | | | beginning, and benchmarks must be set for quality |
| breach ranges from about $90 to $305 per | | | | application vulnerability testing. |
| compromised record. | | | | While it may seem like a daunting undertaking at first, |
| Other costs that result from shoddy web application | | | | the web application security lifecycle approach actually |
| security include the inability to conduct business during | | | | saves money and effort by establishing and |
| denial-of-service attacks, crashed applications, reduced | | | | maintaining more secure applications. Remedying |
| performance, and the potential loss of intellectual | | | | security defects after an application is released |
| property to competitors. | | | | requires additional time and resources, adding |
| What's so surprising, aside from all of the security and | | | | unanticipated costs to finished projects. It also diverts |
| regulatory risks we've described, is that it's actually | | | | attention from other projects, potentially delaying time |
| more cost effective to use application vulnerability | | | | to market of new products and services. Moreover, |
| testing to find and fix security-related software | | | | you'll save on the excessive expense of having to fix |
| defects during development. Most experts agree that | | | | flaws after the application has been deployed, and |
| while it costs a few hundred dollars to catch such | | | | you've failed regulatory audits - and you'll avoid the |
| flaws during the requirements phase, it could cost well | | | | embarrassment of being the next security breach |
| over $12,000 to fix that same flaw after the application | | | | news headline. |