There was a time when developers were just concerned about writing the logic around certain requirements, getting those functionalities reviewed from assurance team, working on their feedback and finally releasing the whole application to production. But now the time has come to get more serious about infusing security measures while managing the overall development process. Isn’t it obvious? According to various studies, the best way of attacking a company's asset is through their web applications.
With more digitization in the offing, the development time is going to come down considerably. Hence, there needs to be an awareness on common design and development flaws which when taken care at initial phase itself, obliterates major chunk of vulnerabilities in the application.
Below are few things to keep in mind:
1. Plan your user inputs:
The more the number of user inputs, the more you will have to secure it. Understand the requirement completely and provide only those inputs which are genuinely required. Avoid collecting data which is unnecessary because all of that user-supplied content also can be used by a smart hacker to try and exploit the underlying Web application.
2. At least, get knowledge on top 3 OWASP vulnerabilities:
OWASP comes up with vulnerability ranking after putting considerable effort and research. Developers need to understand at least top 3 OWASP vulnerabilities and keep in mind the exploiting scenarios while coding for a particular module or functionality. This simple approach has managed to bring down critical vulnerabilities in many cases.
3. List out language specific security controls:
Some amount of research is required by the development team to understand the already available security framework or controls to deal with various issues like SQL injection and cross-site scripting. For example, if the development environment is Microsoft .Net, then the team should research and jolt down all pros and cons of already available security controls they offer and make sure to implement
them for maximum benefits.
4. Don’t spend time with your own security controls:
Writing your own security controls from scratch strains the development team and should be avoided as it demands extensive knowledge and experience on application security front. In case, the situation demands, then it should be approached by consulting with a dedicated team of security consultants.
5. Be consistent:
What has been mostly observed that in the beginning of a product/application lifecycle, all security policies, checklists, coding practices and security checks are religiously followed, however with passage of time all of these processes are buried down But it is contradictory to the fact that, your product and related assets become more accessible and valuable on subsequent releases hence demanding imperious security preparedness. Any sulkiness in following security standards and procedures later makes the overall application vulnerable. You need to be consistent throughout the SDLC for every release.
Finally, to be secure, you've got to be very smart. As an attacker, they only have to find a single entry point where you don't have a security control in place, and that's the one single place you'll be attacked. Preventing that from happening means applying security throughout the development of your software and that requires securing the software development lifecycle, or SDLC.
The above steps are just a few guidelines recommended for the development team that will expedite the security assessment process at later stages of SDLC.
Authored by Satyajit Behera