There’s just no time!
It is no secret that in recent years, web applications have been a huge target for attack, and one of the most likely ways for an organization to be breached. In spite of this, most organizations still have difficulty developing and deploying secure applications. Why? What can you do to avoid being the next victim of a web application breach?
In most cases, it boils down to time restrictions. After all we never seem to have enough time to get our tasks done. Organizations have deployment deadlines to adhere to, which creates deadlines for quality assurance to make sure the application is useable, which creates deadlines for the developers to get everything working. So, where does security fit in, or is there even time for it? The answer to this question requires a different approach to development.
Addressing the Issue – Including Security in Development
In many cases, security is an afterthought, something that is sort of bolted (or taped) on to the finished product after you “get it working.” That is the underlying problem: security needs to be included in the entire process from conception through development and continuing through maintenance. You wouldn’t strap a balloon to the steering wheel of a complete car and expect it to function perfectly as an airbag, would you? No, you would take a small amount of time up front to determine how to build a proper airbag, and then apply that process to every car you make. In the end, the process of building a car would include a few extra minutes to install the airbag assembly.
Integrating security into the life-cycle of an application works the same way.
Of course, implementing a process such as this is never that simple. There are sub components that each have to work together. For example, the developers need to know how to implement secure coding practices, use available development tools and utilities to help enforce and reward writing secure code.
It is also important to understand the appropriate timing by which each component of the program needs to be implemented. You wouldn’t want to do a code review of the application after it has been deployed, but you would use automated scanners at that stage. Similarly, manual testing makes sense as the application is nearing the end of the quality assurance phase and is approaching completeness.
If your organization is not doing these things and is not following a similar plan, you need to stop and reevaluate your application development process. Your business and customers are depending on you to offer secure applications, especially for those applications that access sensitive or otherwise regulated information.
Take a moment to think about the benefits of implementing a secure software development life-cycle and how it could improve the security posture of your entire organization. That’s something that everyone has time for.
Related: What Manufacturers Should Do to Build Secure Devices