Application Security starts from the development stage

IT is an interesting world. networks are both the key driving force of business operations and the main attack targets of attackers. As attackers do evil everywhere, enterprises begin to take application security more seriously. According to a recent survey conducted by the OWASP project team, 1/4 of respondents plan to increase their spending on network application security.

This is a good sign, because there are indeed many network application vulnerabilities, but this situation also raises a question about how enterprises should build security in the application development stage. Although it sounds good to start building security at the development stage, the implementation is complicated and requires good planning.

According to Mike Gualtieri, analyst at the Forrester Institute, many application development teams are aware of security issues and have considered issues such as user verification, authorization, and key data encryption. However, these are all difficulties for them.

Deborah Snyder, Chief Information Security Officer of a Legal Office in New York, has experienced security problems due to misunderstandings.

"When I talked about the concept of secure development lifecycle for the first time, everyone thought that security was just a problem with access control," she said. "security is just something that is added after program development, or in the second half of development, it is used to control the access to the program or data."

In the early days, few people knew how to establish security in the software development cycle (SDLC), but later they began to understand that secure SDLC should be properly planned. "Security should be established in the early stages, because this can avoid more program vulnerabilities ."

Snyder said that during the planning phase, the project team began to understand the significance of the systems or applications they built based on the importance and involved data types or the transaction types to be supported. Subsequently, improvements will be made and appropriate information security access levels will be provided based on the risk level.

Identify threats

The key part of SDLC is the synchronous Threat modeling. In the article "using Threat modeling to develop safer Applications", Gualtieri wrote that the first step in the threat modeling process is to export the data flow diagram (DFD) of the application architecture ). This figure should be able to describe the data flowing between the architecture components and components of the entire application, and describe the firewall or the defense against external system access.

Good Threat modeling can be performed only when you draw a graph that can fully present the architecture. For example, if your application stores credit card data, if you do not draw a data storage shape for a credit card, you cannot correctly analyze threats for this component.

The most widely used threat modeling solutions include Microsoft's SDL Threat modeling attacks, which are not very mature in the market, but Threat modeling is indeed very important.

These attacks have certain limitations, including the fact that they use predefined conditions and cannot adapt to specific application-specific threats, and cannot associate threats with financial losses.

"The potential risk of Threat modeling lies in using it as a one-time task and taking it as a benchmark, rather than incorporating it into SDLC as an important component of Risk Management attacks ."

Even so, Threat modeling is necessary. At Sony film and entertainment, Threat modeling mainly involves brainstorming and whiteboarding based on known vulnerabilities, and best solutions for poor operations. This can greatly avoid vulnerabilities. "Although we are not doing well enough, we began to gradually eliminate different types of vulnerabilities. Many web application vulnerabilities are based on input, so they often lack basic verification, this is why we require developers to verify everything that comes into the application architecture."

The biggest reason for the existence of so many vulnerabilities may be that there are too many codes.

"Think about how many SELECT statements in an application need to access the database to obtain data," Gartner analyst Joseph Feiman said. "Each SELECT statement may be a potential object of SQL injection attacks. The SELECT statement will not decrease, and the number of databases to be processed will not decrease. Therefore, you cannot reduce the access to the database, which is also a potential target of SQL injection attacks ."

Ideally, application security needs to do so, instead of exposing 95% of vulnerabilities to Security Auditors and testers, they are avoided during the development phase.

1. Basic decryption of Web Application Security Issues
2. Five common security defects of ASP. NET Applications
3. Four rules for ensuring the security of PHP applications
4. Understand the security challenges of Web Applications