Application security can't be an after-thought

By Haydn Pinnell for EOH
Johannesburg, 11 Mar 2009

Haydn Pinnell, MD of Gallium (a division of EOH), says hackers have shifted their focus to Web applications as an entry point into corporate networks. This, along with the fact that the Web has evolved from being an online, accessible presence to now delivering mission-critical applications, means Web-application security is today a critical component of enterprise security.

Despite this fact, traditional development and quality assurance (QA) cycles for building Web applications do not incorporate security into existing processes. This inability to test and rectify vulnerabilities before an application goes into production leaves confidential data within a Web application at risk for attack or misuse.

In order to break this cycle, businesses need to change the way they fundamentally approach application security. Gone are the days when anyone involved in application development can say: “Security is not my responsibility,” Pinnell says.

“Security is everyone's responsibility as it has severe impact on the business if not taken seriously. Security must be integrated throughout the software development life cycle, not just hastily add it to the end. This integration will only occur if we involve developers, QA teams, and management in security.”

Industry analysts estimate the failure to identify and repair security vulnerabilities during the software development process can carry extra costs. Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process. Moreover, by incorporating security testing by QA teams, the following opportunities to reduce the costs of vulnerability remediation exist:

* Defect correction during code and unit tests can reduce the cost impact by a factor of between 3% and 20%.

* If 50% of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75%.

Add increasing accountability for proof of regulatory compliance due to government and industry mandates, and the need for integrating methodical security assessment into the application quality or delivery process becomes clear, Pinnell says.

“It is imperative to move away from the old paradigm of empowering a security team to test applications and networks after development or immediately preceding deployment - security must be integrated throughout the software development life cycle. Making such a fundamental shift will not happen overnight, but it is essential if we are to stem the tide of applications riddled with security vulnerabilities that offer multiple attack vectors and leave businesses wide open to attack,” Pinnell concludes.

Gallium

Gallium, a member of the EOH group of companies, supplies business technology optimisation solutions from HP Software, specialised technology-based professional services, training, managed services, test factory solutions and ad hoc quality and performance testing services.

EOH

EOH is a business and technology solutions provider, creating lifelong partnerships by developing business and IT strategies, supplying and implementing solutions and managing enterprise-wide business systems and processes for medium to large clients.

EOH operates in the following three clusters of business units as a fully integrated business:

Technology - Through a number of subsidiary companies, EOH is able to sell, implement and support a range of world-class business applications, including ERP, CRM, business intelligence, advanced planning and scheduling, e-commerce and manufacturing execution systems (MES).

Consulting - Concentrated under the EOH Consulting brand are business units offering services ranging from strategic and business process consulting, project services, change management, supply chain optimisation and education.

Outsourcing - EOH offers comprehensive maintenance and support of client's IT infrastructure and applications through the rendering of full IT outsourcing, application hosting and managed services. In addition, EOH offers full business process outsourcing (BPO) services.

EOH has a presence in all major centres in South Africa and operates in the rest of Africa.