Haydn Pinnell, MD of Gallium (an EOH company), says most businesses fail to emphasise security testing during the development and quality assurance (QA) phases of the software development lifecycle. As a result, attackers have adapted to target IT's softer underbelly - Web-based applications.
He says the old paradigm of empowering a security team to test applications and networks after development or immediately preceding deployment no longer works. Today, while security teams may have the skills to identify vulnerabilities in applications they are not empowered to implement a solution because the solution must be done at the code level. Security teams must go back to developers who have not been trained in security best practices and request a fix for discovered security vulnerabilities. This cycle results in a condition where the same security vulnerabilities are embedded within applications over and over again.
Pinnell says in order to break this cycle, we must change the way we fundamentally approach application security. “Gone are the days when anyone involved in application development can say 'security is not my responsibility'. Security is everyone's responsibility as it has severe impact on the business if not taken seriously. We must integrate security throughout the software development lifecycle, not just hastily add it to the end. This integration will only occur if we involve developers, QA teams, and management in security.”
The Internet has become an easy target for attackers. With as many as 85% of Web sites vulnerable to attack, Pinnell says it is no wonder the attackers have shifted their focus to Web applications as an entry point into corporate networks. This, along with the fact that the Web has evolved from being an online, accessible presence to now delivering mission-critical applications, means Web-application security is now a critical component of the overall enterprise security. Despite this fact, traditional development and QA cycles for building Web applications do not incorporate security into existing processes. This inability to test and rectify vulnerabilities before an application goes into production leaves confidential data within a Web application at risk for attack or misuse.
The majority of vulnerabilities in Web applications reside in the custom business logic of the application itself. Compensating controls provided by external products are temporary solutions which seek to hide the vulnerability. It is typically only a matter of time before an attacker identifies an alternate entry point or is able to encode an attack in such a manner that a signature-based technology is unable to detect the attack packet. Only by correcting the vulnerable code is it possible to fully protect the application. It is for this reason that developers, QA teams, and the management must share in the responsibility of developing secure code.
“Lack of security within the Web application development process pushes the burden of protection to the staff that deploys and secures that application. And yet, individuals in these roles are usually the ones least likely to understand the intricacies of the application and how to prevent a security incident from evolving into a serious business crisis. That is because most code-level security vulnerabilities result from common programming errors. While defects may be uncovered over time during security audits in the production environment, by then it's simply too late. The damage has been done.”
Share
Gallium
Gallium, a member of the EOH group of companies, supplies business technology optimisation solutions from HP Software, specialised technology-based professional services, training, managed services, test factory solutions and ad hoc quality and performance testing services.
EOH
EOH is a business and technology solutions provider creating lifelong partnerships by developing business and IT strategies, supplying and implementing solutions and managing enterprise-wide business systems and processes for medium to large clients.
EOH operates in the following three clusters of business units as a fully integrated business:
Technology - Through a number of subsidiary companies, EOH is able to sell, implement and support a range of world-class business applications including ERP, CRM, business intelligence, advanced planning and scheduling, e-commerce and manufacturing execution systems.
Consulting - Concentrated under the EOH Consulting brand are business units offering services ranging from strategic and business process consulting, project services, change management, supply chain optimisation and education.
Outsourcing - EOH offers comprehensive maintenance and support of client's IT infrastructure and applications through the rendering of full it outsourcing, application hosting and managed services. in addition EOH offers full business process outsourcing services.
EOH has a presence in all major centres in South Africa and operates in the rest of Africa.
Editorial contacts