Computer crime is not going away. It will continue to evolve and advance, alongside our continued use of the Internet. Many - if not most - businesses deploy Web-based technologies under the assumption that gateway security measures such as firewalls and intrusion detection and prevention systems are sufficient to protect Web applications from attack or misuse. This is a dangerous assumption, says Haydn Pinnell, MD, Gallium (an EOH company).
Effective IT security no longer comes down to purchasing and installing security products. Today, the Internet has become an easy target for attackers. With as many as 85% of Web sites vulnerable to attack, it is no wonder that the attackers have shifted their focus to Web applications as an entry point into corporate networks.
This, along with the fact that the Web has evolved from being an online, accessible presence to now delivering mission-critical applications, means that Web-application security is now a critical component of the overall enterprise security.
Despite this fact, Pinnell says traditional development and quality assurance (QA) cycles for building Web applications do not incorporate security into existing processes. This inability to test and rectify vulnerabilities before an application goes into production leaves confidential data within a Web application at risk for attack or misuse.
Industry analysts estimate that the failure to identify and repair security vulnerabilities during the software development process can carry extra costs. Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process. Moreover, by incorporating security testing by QA teams, the following opportunities to reduce the costs of vulnerability remediation exist:
* Defect correction during code and unit tests can reduce the cost impact by a factor of between 3% and 20%.
* If 50% of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75%.
Add increasing accountability for proof of regulatory compliance due to government and industry mandates, and the need for integrating methodical security assessment into the application quality or delivery process becomes clear.
Pinnell says it is imperative to move away from the old paradigm of empowering a security team to test applications and networks after development or immediately preceding deployment - security must be integrated throughout the software development lifecycle.
“This integration will only occur if developers, QA teams, and management are involved in security. Making such a fundamental shift will not happen overnight, but it is essential if we are to stem the tide of applications riddled with security vulnerabilities which offer multiple attack vectors and leave enterprises wide open to attack.”
Share
Gallium
Gallium, a member of the EOH group of companies, supplies business technology optimisation solutions from HP software, specialised technology-based professional services, training, managed services, test factory solutions and ad hoc quality and performance testing services.
EOH
EOH is a business and technology solutions provider creating lifelong partnerships by developing business and IT strategies, supplying and implementing solutions and managing enterprise-wide business systems and processes for medium to large clients.
EOH operates in the following three clusters of business units as a fully integrated business:
Technology - Through a number of subsidiary companies, EOH is able to sell, implement and support a range of world-class business applications, including ERP, CRM, business intelligence, advanced planning and scheduling, e-commerce and manufacturing execution systems (MES).
Consulting - Concentrated under the EOH Consulting brand are business units offering services ranging from strategic and business process consulting, project services, change management, supply chain optimisation and education.
Outsourcing - EOH offers comprehensive maintenance and support of client's IT infrastructure and applications through the rendering of full IT outsourcing, application hosting and managed services. In addition, EOH offers full business process outsourcing services.
EOH has a presence in all major centres in South Africa and operates in the rest of Africa.
Editorial contacts