While at a client site recently, I was asked how to make a web application secure. When I asked what steps they were currently taking, the developer just shrugged his shoulder and said, "We really don't do anything." So I asked him if he liked to play Russian roulette... with a fully loaded gun. He grimaced. I told him that was his exposure if he didn't do anything. Needless to say he was all ears when I told him what he must do to build a secure web app.
During the planning and development phases, you should at the very least address these topics:
- Identify regulatory and compliance assumptions and risks and develop alternatives.
- Consider your data classification and the sensitivity of the data being collected, stored and transmitted. More sensitive? Then take proper steps to protect it.
- Prepare a System Boundary Document. This will help identify where you need extra security controls. It can also serve as an input to your Threat Modeling document.
- Prepare Misuse Cases. Opposite of use cases, this should identify how a system behaves when you are attacked, when the system doesn’t work as planned.
- Develop strategies to address data backup, data transmission, data storage, authentication, session management, and error handling.
- Identify trust boundaries, trust levels, entitlements, and encryption requirements.
- Become a student of the OWASP guidelines. OWASP is an open community that seeks to improve the security of application software.
Also, make sure you don’t forget the importance of testing and implementation by following these steps:
- Review infrastructure security best practices before you perform a penetration test. You’ll feel silly if the “red team” breaches your application in minutes because of simple oversight!
- Perform a secure code review and then test for vulnerabilities with a scanner like Acunetix WVS.
- Test your password strength. This is the front door to your application and you need to make sure it is secure.
- Finally, ensure that infrastructure security best practices are properly deployed in your production environment. Enforce least privilege, favor simplicity over complexity, deny by default, and isolate sensitive systems from untrusted networks.
Of course this is just a cursory overview of what you should be doing. With the proliferation of automated attacks that target applications running on or exposed to the Internet, it is imperative that you build security into your web application design at the beginning, not the end. Otherwise you'll be playing application "Russian Roulette."
Matthew Hexter, PMP
Comments