“By and large, most successful attacks today, approximately greater than 70 percent, are targeted at applications where inherently, most vulnerabilities reside,” says HP Distinguished Technologist, John Diamant in his interview on SecuritySolutionsWatch.com. Even so, Diamant points out that applications continue to represent one of the weakest links in enterprise security, often full of vulnerabilities. Weakest links can be the greatest opportunities to enforce application security. In the abstract for a session titled “Application security in the SDLC” at HP Protect 2013, Kevin Poniatowski from Safelight Security asserts that “Application security is not an add-on or a plug-in. It is a process that must be included in all phases of the development lifecycle to mitigate risk.” What exactly does this mean within each phase of the Software Development Lifecycle? Let us take a look.
“Earlier the better” is the mantra that applies when it comes to the proactive enforcement of security across the lifecycle.
Analysis. Along with functional requirements, the non-functional requirements—including security—must also be determined for an application before it is architected. This includes a gap analysis of security regulations and best practices that apply to individual applications. Doing so would make it easier to justify the cost of enforcing the right security measures in alignment with these requirements.
Architecture. Security is an integral part of the Enterprise Architecture (EA) DNA. High-level view of the architecture for threat modeling and attack surface analysis must be used to identify weaknesses in the structure and design, which correlate directly into security vulnerabilities that are likely to be coded or configured into an application.
Build. Application designs must also address the not-so-happy what-if scenarios as well. Model-driven approaches work well to proactively anticipate security violations, ensuring the right measures are in place at design time. Tools must be used to effectively scan the source code for vulnerabilities.
Test. “You can’t rely only on testing scenarios to find and fix all of your existing application vulnerabilities,” Diamant cautions. We must still test and fix security flaws even though they are reactive measures that should have been preempted in the preceding phases.
Sustain. Applications meet infrastructural components of network and storage, which open up additional intersection points — a fertile ground for violations. Independent validations and verifications of existing applications must be performed to proactively identify gaps, and therefore vulnerabilities.
The weakest link in the security fabric — the applications — is getting less than 10 percent of the security spend within the enterprise, according to Diamant. Proactive measures early in the lifecycle are vital to the enforcement of application security. To that end, Diamant details specific techniques that can require, architect and design security in to the process very early on in the lifecycle.
What measures are you taking within your enterprise to proactively enforce application security across the Software Development Life Cycle (SDLC)? Please consider attending the Application security session to check out other options.