Application software development is sweeping our industry at an alarming rate. From organizations adopting various apps for iPhone, iPad, and Android platforms, to full-on internally developed applications to support their business and customer requirements. While the need for these applications increase, we are finding that the security technologies allowing for a solid Software Development Life-cycle (SDLC) are limited.
Over the years, we have seen a number of companies that have appropriate policies and procedures in place that would seem (from the surface at least) to address the security principles required for developing hardened applications. However, as with most “in-demand” aspects of our industry these security principles are being shortened and limited to meet delivery to the end-user and budgetary constraints. This has left me scratching my head on more than one occasion. Do organizations not realize the risk involved with developing applications without applying secure-coding principles?
Design for Security
Let’s be honest. Designing for security in software is futile unless you plan to act on the design and incorporate necessary secure controls during the development stage of your SDLC. It is imperative that secure features are not ignored when design artifacts are converted into syntax constructs that a compiler or interpreter can understand. Writing secure code is no different than writing code that is usable, reliable, or scale-able.
Test for Security
In addition, security testing should complement existing functionality testing. At a bare minimum, tests for common software vulnerabilities, such as overflow and injection flaws, and testing the behavior of software to unexpected and random input formats (fuzz testing) should be conducted in testing environments that emulate the configuration of the production environment.
Manage for Security Risk(s)
Designing and testing for security will only produce partial results. The reality is that every organization should define the security policies required for each application being developed. While this can be accomplished in a number of ways, we recommend following these steps:
- Assign a business impact level or assurance level” – High, medium, low, very low depending on business impact and consequences.
- Align application testing type with the stage in SDLC or lean development process – Integrate with you development process whatever it may be.
- Select appropriate analysis and scanning methods – Should your application require static analysis, automated dynamic testing, or penetration testing? Identifying the suitable method of analysis will prove to save valuable dollars all while meeting secure-coding principles.
- Use industry standard security scores – Using industry standards like the Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) allow organizations to combine these standards into a meaningful and practical way to assess software security across internally and externally developed applications.
- Develop a process flow for fixing vulnerabilities and flaws – Assign roles and responsibilities for review and mitigation of flaws and threats.
- Define a remediation period for closing flaws based on priority – Few organizations can invest the resources to fix all vulnerabilities with equal priority, so an efficient system of triage is essential. The greatest risks, as a function of potential impact and likelihood of occurrence, should be re-mediated first.
- Keep an application portfolio score card – Gauge risk across all applications. Manage portfolio risk over-time.
Application Risk Assessment Conclusions
We all understand the pressures to add and test functionality within a compressed schedule. The key is to integrate a methodology for managing risk within the compressed development time-frame. With a few adjustments and investing in development of a lean process for integrating security all the operational and proper risk management practices can be included in application development.
If the issue is resources contact a third party consulting firm like Praetorian Secure to fill in the gaps. Security testing should not stop the process it is the means and pre-planning that will help manage your company reputation and increase security. Most of this type of testing can be integrated by a managed security testing company as an extension of your organization without loss time. Contact us for more information.