Main | We don't need to be compliant! »

February 27, 2008

Web Application Russian Roulette

While at a client site recently, I was asked how to make a web application secure. When I asked what steps they were currently taking, the developer just shrugged his shoulder and said, "We really don't do anything." So I asked him if he liked to play Russian roulette... with a fully loaded gun. He grimaced. I told him that was his exposure if he didn't do anything. Needless to say he was all ears when I told him what he must do to build a secure web app.

During the planning and development phases, you should at the very least address these topics:

  • Identify regulatory and compliance assumptions and risks and develop alternatives.
  • Consider your data classification and the sensitivity of the data being collected, stored and transmitted. More sensitive? Then take proper steps to protect it.
  • Prepare a System Boundary Document. This will help identify where you need extra security controls. It can also serve as an input to your Threat Modeling document.
  • Prepare Misuse Cases. Opposite of use cases, this should identify how a system behaves when you are attacked, when the system doesn’t work as planned.
  • Develop strategies to address data backup, data transmission, data storage, authentication, session management, and error handling.
  • Identify trust boundaries, trust levels, entitlements, and encryption requirements.
  • Become a student of the OWASP guidelines. OWASP is an open community that seeks to improve the security of application software.

Also, make sure you don’t forget the importance of testing and implementation by following these steps:

  • Review infrastructure security best practices before you perform a penetration test. You’ll feel silly if the “red team” breaches your application in minutes because of simple oversight!
  • Perform a secure code review and then test for vulnerabilities with a scanner like Acunetix WVS.
  • Test your password strength. This is the front door to your application and you need to make sure it is secure.
  • Finally, ensure that infrastructure security best practices are properly deployed in your production environment. Enforce least privilege, favor simplicity over complexity, deny by default, and isolate sensitive systems from untrusted networks.

Of course this is just a cursory overview of what you should be doing. With the proliferation of automated attacks that target applications running on or exposed to the Internet, it is imperative that you build security into your web application design at the beginning, not the end. Otherwise you'll be playing application "Russian Roulette."

Matthew Hexter, PMP

Posted at 04:23 PM in Manage |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e55007e6bd883400e5507b17098834

Listed below are links to weblogs that reference Web Application Russian Roulette:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.