This article will outline the various challenges in managing an application security program. The article will help in identifying the various challenges faced in similar kind of projects, on which the PL/PM can work upfront to mitigate them early in the project life cycle.
There are various challenges faced during the entire project life cycle of an application security program, starting from getting the applications on time for assessment, till delivering the report with details of all the vulnerabilities found. We will see in further section the challenges faced.
Below are some of the challenges faced in application security assessment program.
- Getting application on time.
- Functionality issues in applications.
- Data availability in the applications.
- Application availability in the testing environment.
- Environmental issues.
- Availability of various tools for assessment.
Getting application on time
One of the major challenge in application security assessment is getting the application on time. This majorly depends on the release of the application by the development team. Any delay in the development of the application will eventually have a delay in release, and will in turn have an impact in the application being available for security assessment in time. This will have an impact on the overall plan of the project.
Functionality issues in applications
Once the application is released, and ready for security assessment, many a times, we face functionality issues in the application. This majorly impacts the scope of the application assessment, as well as the coverage of the security assessment for the application. Missing functionality indicates that the broken part of the application will not be covered during security assessment, unless the development team can do a quick fix and get the functionality ready.
Data availability in the applications
Again data not being available in the application will in turn have an impact on the coverage of the application assessment. Since data is not available, pentest team will not be able to do the assessment for that module/screen. Although this can be easily (rather quickly) addressed by the development team. This risk/challenge is further reduced during the pre-assessment stage, where the checks are done in the application to ensure that all modules have data available.
Application availability in the testing environment
This has a major impact in the ongoing assessment of any application. At times we have seen that the application is not available in the testing environment for various reasons, which affects the progress of the assessment. If there is a time difference between the development team, and the security assessment (pentest) team, the entire time, waiting for the development team to come and resolve the issue is completely wasted. In these cases the duration of the assessment for the application has to be extended to ensure the complete coverage of the application assessment.
Environmental issues relate to the environment/servers from where the assessment will be conducted. Many a times the application assessments are performed from client environment/servers, since the applications are internal to the organization. The accessibility to the client’s servers/environments depends on many factors like the speed of the internet for connectivity. Once logged in to the environment, the speed and ease of accessing the application as well as the application speed also becomes a bottle neck at times, which in turn affects the assessment.
Availability of various tools for assessment
In client led environments, the availability of various tools required for doing security assessment of any application becomes a challenge. In case of secure client environment, where internet is not available, it becomes very difficult to install tools and activate them to be able to use for security assessment. In this case, the pentest team entirely depends on the client team for making sure that the tools are available in the environment before the start of the assessment.
Authored by Saubhagya Sahu