Unlike my daughter’s second grade piano review, sincerity in the world of secure web application development means very little. Development of secure Web applications and the effort to maintain their security is hard work, requiring a holistic approach and a long-term perspective that web application is essential. Security is not achieved by simply demanding it of your staff; you need the correct staff to demand it of, continuous manual and automated vulnerability testing, and code reviews by security experts. OK, we all know that very few web development budgets allow for that level of effort -- sadly, very few companies can afford the loss of clients and reputation that a major security breach would impose.
The most frequent reason I hear from businesses for their lack of security is their perspective that they are targets from hackers. These are clients with thriving, well-established businesses that depend on their Web presence in order to survive. Yet we all stand in horror at the ever-increasing number of company devastating security breaches, and believe we would never be the next target. From the fluffy brochure site that can be hacked to become a source of malware or being defaced (i.e., PBS), to the non-critical data collection site that will be the source for identify theft and phishing attacks (i.e., Epsilon), to the data critical site that will make you headline news should that data be stolen (i.e., Sony); we only need to stop kidding ourselves to understand web application security needs to be included as one of the primary requirements of any site.
Let’s look at the components that result in a secure web application. First and foremost is perspective. Unless your company sets security as a prime requirement, your website will be one of the 70 percent on the Internet that contains major security flaws.
The development components that I believe are essential to any secure web application development effort are:
• Software developers that are skilled in security development
• Manual and automated vulnerability testing tools and skills
• Code reviews
Again, the chances of your next web application development effort having each of these components in ample supply are low; most companies don’t have the financial resources or access to staff with these talents. But, by no means don’t throw in the towel and just pray for hackers to go after the big fish. Life, even in the world of web security, is full of compromises.
Skilled security-trained software developers are rare as secure software development is not taught in any depth within universities and there is as of yet no critical mass of security developers to train the new staff. But there are several ways to mitigate this lack. First, instead of placing the security burden on your development staff consider a known, well-established platform for your next site, as opposed to a custom application. For example, done correctly, a Wordpress site is far more secure than any custom web application. And, at the risk of offending my many designer friends, avoid customs CMS (Content Management Systems) like the plague. Many design firms have their home-grown versions of CMS, but very few ever come close to secure. Be careful of any security claims for these systems.
If your company is large enough to afford it, hire a few good developers with security skills and have them mentor the pups. If you can’t afford security developers, at least make your security requirement known. Even though it may seem like a black-art, security development really isn’t magic. Any developer worth his or her pay will be able to place your new site far above the easy-target level – if you ask for and reward this effort. Without the request, you get to be one of the 70 percent at the bottom of the hacker feeding frenzy.
OK, maybe I lied just a bit. Security testing is a black art (no pun with the white/black hat camps). Security testers are rare, very geeky and worth their weight in SQL Injections. As you consider hiring a security tester, I must say I am constantly surprised by the fact that most security testers are not developers as well; don’t bet on a double-duty staff member. And, as you consider a security tester hire, keep in mind the fact that they require security testing tools to do their job. While there are many free and commercial security vulnerability testing tools that can be used to perform a security penetration test (pen test) on your site you need to be careful of believing you can effectively bring these tools in-house.
At its very best, your evolving web application should be tested for security throughout its development lifetime. A security flaw found early in an application’s lifecycle is far easier to repair then one found during the end. Even more important, discovered security flaws may point out application design flaws that can be restructured early in the development process.
Of all of the compromises I might make during the development of a web application, security testing would be my least likely to give in on. Hackers and their means of attacking web applications have become so sophisticated in recent years. I would maintain that, even with the best security-oriented development team, it is almost impossible to deliver a website that is flawless. An automated pen-test on even a modestly sized website will take many hours and simulate tens, if not hundreds, of thousands of application attacks.
An emerging web application should be hosted on a staging site, where testing (application and security) can be run without damaging the live site and not be subject to pre-release issues. Automated pen-tests and manual security tests should be run against this staging site as frequently as possible, with security trends being noted along the way.
For lack of resources and budget, security testing may be one of those components that you farm out to an independent company. There are many such companies, at various price points and levels of value. The good news is that you can easily point them at your staging server and let them run their tests overnight. My two cautions are, first, be sensitive to the information they will give you. Make sure you are getting information that is useful to your development team, not just the proud announcement that your website is a security nightmare. And second, never assume a single pen-test is adequate. Every pen-test, except the last, should result in software repairs, along with another pen-test to make sure the repairs worked and no additional security flaws were introduced.
Code reviews are the holy-grail of software development, whether it be for application quality or web application security. I have never been part of code review (and there have been many over the years) where the developers didn’t moan going into the review and where the code remediations coming out didn’t far outweigh the time and cost of the process. In the world of web application security reviews, a single missed input validation or database access could be the one security flaw that gets you your 15 minutes of fame as the most recent security breach. While I would strongly recommend code reviews as part of your security efforts, I realize the fact that very few companies, even large companies, will implement reviews.
Consider code reviews for the really security critical portions of your site. These would be the database access code and any areas that accept input strings from the client. If possible, expand your review to URL manipulation and login-only access areas. A few pizzas in the conference rooms and you might gain enough value over lunch code reviews to more than justify the breadsticks as well.
Your site will never be 100 percent secure, but you can easily avoid being the equivalent of a video game to the Script Kiddies who are looking for an easy hacking win. Like the marathon you’ve been promising the kids you’re going to run, web application is more than a new pair of shoes. It’s a company lifestyle approach that will make it a harder target for hackers in a world where there are so many easy targets -- you will probably be skipped over. Talk to your development team and tell them web application security is requirement number one; then check up on them with at least one professional done pen-test near the end of the project.