How to Ensure Web Application Security during the delivery cycle (3)

Web application architecture and design

As the architecture and design scheme of Web applications have been defined, the security issue needs to be evaluated in the next step. It is at this stage that high-cost and hard-to-solve security problems can be fixed at the most easily solved time. To prevent costly errors, the architecture of the program should be evaluated in terms of performance and security. A detailed design specification can be compiled to show developers what security controls should be included and how application components interact with a complete Web application.

Steps to integrate security into the architecture and design phase

1. Perform risk assessment on the recommended architecture and deployment environment to determine whether the design brings risks.

2. Evaluate the security significance and risks when the application interacts with the original system, as well as the security of data streams between different components, layers, or systems.

3. Comment on any specific exposure issues that need to be addressed during the implementation or deployment phase (that is, those that depend on the deployment method and deployment location of the Application)Vulnerabilities).

4. Consider the dependencies and the vulnerabilities caused by the interaction with MashUps, SOA, and partnership services. Deliver the final design to security and audit to determine the Security Test Plan and misuse.

Its benefits are embodied in five aspects:

1. The risk assessment and analysis process and reusable risk assessment model can be carefully coordinated.

2. risks arising from the architecture or deployment environment can be identified at an early stage.

3. Reusable misuse cases can save time in the test phase.

4. Reduce specific design vulnerabilities.

5. If necessary, you can adjust or change the architectural restrictions that bring risks. If you cannot completely clear risks, you can also use compensatory control to define risk mitigation policies.

Web application code execution and compilation

When developers start coding, they must have a complete set of risk assessment designs and clear guidelines for security control, or use this security control through recognized services. Automated static code tools integrated into IDE can provide developers with check and guide when writing code. Automated tools can also be used during compilation to check whether the Code violates regulations against policy templates, and to view code level security issues in depth.

Steps to integrate security into code execution and compilation

1. Install a static source code check tool that can be integrated with the integrated development environment.

2. As an option, developers can use independent coding tools to perform automated code checks before delivering code.

3. The security and review teams spot check code modules to see if they comply with compliance requirements, and use automated or manual code checks before compilation to check their security risks.

4. during compilation, perform automated static code scanning to find security issues and policy compliance.

5. Use tools to track coding errors of developers and provide explanatory feedback and explanations of the security risks.

This will bring the following benefits:

1. You can submit cleaner or less vulnerable code to quality reviewers.

2. developers can improve the security coding capability over time.

3. Reusable policies can improve the correctness of risk analysis.

4. Fewer coding errors or vulnerabilities found during testing, and shorter development cycle.