Sunday, September 30, 2012

Building Secure Applications

The awareness on security has increased manifold and thanks to the frequent news headlines on security breaches and compromises leaving organizations with heavy damage and / or loss. The board has started realizing that information security is one of the primary causes of most of the IT Risks that their organization has to mitigate or to be ready to face. But the application design and development processes has not seen significant change to ensure that the delivered application is secure and would help the organization bring down the risk exposure.
 
Most of the software engineers and architects involved in application design and development still have very less security awareness and they believe that that security is something that the IT Infrastructure team will take care of. On the other hand, the IT infrastructure team believes in the investment they would have made in robust security tools and expect that they have done their part to protect the organization and pass on any application specific security issues back to the development teams. Then, whose responsibility it is to ensure building a secure application?
 
This is where an independent, enterprise wide security consulting team needs to extend the security consulting to various project teams within the organization. But still, this will not solve the problem completely, as it is for the development teams to be security aware and design and build security applications. 
 
Here is what the security consulting team can offer to the project teams:
 
Pre-project security reviews: This helps the decision makers to be aware of what security threat landscape that they are going to be dealing with upon implementation of the project. This could even have an impact on the project costing as additional cost might have to be incurred to mitigate the security risks that this project may bring on and in most cases it is not just one time investment and it has to be recurring operating expenses as well. This helps the organization to make informed decisions considering the extent of impact on the organization’s risk exposure.
 
 
Design level security reviews: Like in case of software quality, earlier one spot the security concerns, it would cheaper and easier to factor in the mitigation plans. At this stage, the security consulting teams can help the project teams in the following ways:
  • A high level evaluation of the security concerns that the design could expose and suggest possible security controls to mitigate such concerns.
  • Equip the project stake holders with necessary information associated with the identified security concerns, so that they can take better risk management decisions.
  • Extend guidance to the project teams on the choice of controls and solutions that might best address the security concerns.
  • Perform research and exploration on any the technology or feature is quite new and innovative which could potentially open a new thread landscape
  • Offer training to the design and development teams about the most common security vulnerabilities and the attack patterns, so that they design and build counter measures early on.
Implementation Security Reviews: Security consulting team offers to perform the reviews and verifications in the later phase of the application development, so that vulnerabilities if any exist may not slip through to production. Typically the services offered by the security consulting team are one or more of the following:
  • Ensure that the security concerns identified in the design review is fully addressed.
  • Perform security specific reviews on the code and this could be on a sampling basis, depending on the acceptable risk level of the application.
  • Use automated tools that will examine the code and / or the packaged component or application.
  • Review the security specific test cases as created by the software testing team and suggest additional test cases to ensure better coverage in the security testing.
Having a security consulting team will not just be enough to build secure applications. The Software Engineering Process which defines and describes the approach and methodologies used for project execution should also mandate for practising and consuming the services of the Security Consulting teams and their review reports should be identified as entry and exit criteria for various phases of the application development.
 
Security education is also required to ensure that the project team is aware why security is so important for the organization. The following measures towards security education would help the teams to design and develop secure applications:
  • Include a module of security education in the employee induction program, so that every new employee is oriented towards the security needs of the organization.
  • Offer in-depth security training to architects and select software developers and ensure that every project team has at least couple of such trained resources. 
  • Ensure that the coding guidelines document also factors writing secure code.
  • Hold periodic training sessions where in addition to security related presentations, recent security review findings and or defects found during the security testing can be taken up for discussion and in the end come up with solutions to prevent such issues creeping in.
  • If the organization publishes a periodic news bulletin, ensure that security is a mandated section in it and use it to publish security related updates.
As it can be observed, security is not just one person or department’s responsibility and it should be the outcome of collaborated efforts of concerned teams with the common goal to build a secure application. The security consulting team can also be external to the organization, i.e. this function can be outsourced to security consuling firms who would be specializing in the area of application security practice.