Johannesburg, 11 Mar 2009
Haydn Pinnell, MD of Gallium (a division of EOH), says hackers have shifted their focus to Web applications as an entry point into corporate networks. This, along with the fact that the Web has evolved from being an online, accessible presence to now delivering mission-critical applications, means Web-application security is today a critical component of enterprise security.
Despite this fact, traditional development and quality assurance (QA) cycles for building Web applications do not incorporate security into existing processes. This inability to test and rectify vulnerabilities before an application goes into production leaves confidential data within a Web application at risk for attack or misuse.
In order to break this cycle, businesses need to change the way they fundamentally approach application security. Gone are the days when anyone involved in application development can say: “Security is not my responsibility,” Pinnell says.
“Security is everyone's responsibility as it has severe impact on the business if not taken seriously. Security must be integrated throughout the software development life cycle, not just hastily add it to the end. This integration will only occur if we involve developers, QA teams, and management in security.”
Industry analysts estimate the failure to identify and repair security vulnerabilities during the software development process can carry extra costs. Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process. Moreover, by incorporating security testing by QA teams, the following opportunities to reduce the costs of vulnerability remediation exist:
* Defect correction during code and unit tests can reduce the cost impact by a factor of between 3% and 20%.
* If 50% of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75%.
Add increasing accountability for proof of regulatory compliance due to government and industry mandates, and the need for integrating methodical security assessment into the application quality or delivery process becomes clear, Pinnell says.
“It is imperative to move away from the old paradigm of empowering a security team to test applications and networks after development or immediately preceding deployment - security must be integrated throughout the software development life cycle. Making such a fundamental shift will not happen overnight, but it is essential if we are to stem the tide of applications riddled with security vulnerabilities that offer multiple attack vectors and leave businesses wide open to attack,” Pinnell concludes.
Share